OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: labsy on June 27, 2017, 11:46:42 pm

Title: How to handle IPS properly
Post by: labsy on June 27, 2017, 11:46:42 pm

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

Title: Re: How to handle IPS properly
Post by: Wayne Train on June 28, 2017, 08:51:06 am

I would be interested in the methodology, too :-)
Any best practice out there ?
Cheers,
Wayne