OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: deputycag on November 30, 2017, 01:56:20 pm

Title: Test IPS functional
Post by: deputycag on November 30, 2017, 01:56:20 pm
I have been running IPS inline.  Recently added the snort VRT rules.  How do you guys test to see if the IPS is blocking rules?  I do not see anything in my alerts except the country blocking rules I have setup.

Title: Re: Test IPS functional
Post by: deputycag on November 30, 2017, 02:28:21 pm
I have tried http://www.wicar.org/test-malware.html and tested CVE-2014-6332.  These rules are enabled under emerging-exploit.rules and I do not see the alerts at all. 
Title: Re: Test IPS functional
Post by: fabian on November 30, 2017, 05:04:33 pm
the opnsense test ruleset includes EICAR. If IPS is enabled on your LAN (not WAN), it should block the download.
Title: Re: Test IPS functional
Post by: deputycag on November 30, 2017, 05:16:55 pm
That worked.  Blocked.  So why is the exploit rules for CVE-2014-6332 not blocking when they are enabled?
Title: Re: Test IPS functional
Post by: fabian on November 30, 2017, 05:43:38 pm
Maybe you have not downloaded them or the rule does not match. Can't tell you from here.
Title: Re: Test IPS functional
Post by: deputycag on November 30, 2017, 05:51:56 pm
It downloads because my local virus scanner finds it on desktop.  So it's passing firewall. 
Title: Re: Test IPS functional
Post by: franco on December 02, 2017, 03:40:14 pm
You need to tell us more about your setup, specifically your WAN and LAN subnets and how you configured HOME_NET in the intrusion detection (if any).


Cheers,
Franco