Messages

21.7.7 running stable for me too.  Suricata enabled once again on LAN and DMZ,  no VLANS being used.

I have experienced similar issue as some here.  LAN interface is not reachable.  Has happened with Suricata turned on and enabled on DMZ and LAN interface.  I was able to reach DMZ side,  not LAN.  Turning off Suricata has kept my firewall working. 

Problem solved.  Found the device using tcpdump.  Corrected the problem and dns requests stopped.  Thank you. 

I am noticing that my firewall keeps sending dns request to 1.1.1.1:53.  The domain it keeps sending is config.amcrestcloud.com.  This is probably from my cameras originally.  But to test out things I disabled all amcrest cameras and the dns keeps going,  every few seconds and does not stop. 

__timestamp__   May 2 01:38:11
action    [pass]
anchorname   
datalen   49
dir    [out]
dst    1.1.1.1 [one.one.one.one]
dstport   53
ecn   
id   51000
interface   bge1
ipflags   DF
label   let out anything from firewall host itself (force gw)
length   69
offset   0
proto   17
protoname   udp
reason   match
rid   b982490a613ebfd2d24f6162e719143b
ridentifier   0
rulenr   83
src    MY FIREWALL
srcport   45417
subrulenr   
tos   0x0
ttl   63
version   4

Any suggestions?  Rebooted a few times.  I attached a ntopng screenshot.  I can see the DNS request also on here.

Wanted some feedback on my cloud setup.  Hosting my own Nextcloud server on a DMZ and want to be sure I am 99% protected for intrusions.

Nextcloud is on DMZ,  Port forward only 443.  Couldn't get NGINX or HAPROXY working.  So Using Cloudflare WAF.  My firewall has IDS with Telemetry rules enabled to block.  Port Forward and Firewall only allows Cloudflare IP's to access my Nextcloud over SSL.  Turned on most security protection available on Cloudflare.  GEOIP only allows USA

Am I good or should I tweak something with my setup?

I have been using papertrail.  Seems easy and I can get away with free version.  Also allows me to get email alerts when IPS blocks something.

It downloads because my local virus scanner finds it on desktop.  So it's passing firewall. 

That worked.  Blocked.  So why is the exploit rules for CVE-2014-6332 not blocking when they are enabled?

I have tried http://www.wicar.org/test-malware.html and tested CVE-2014-6332.  These rules are enabled under emerging-exploit.rules and I do not see the alerts at all. 

I have been running IPS inline.  Recently added the snort VRT rules.  How do you guys test to see if the IPS is blocking rules?  I do not see anything in my alerts except the country blocking rules I have setup.

Great.  Thank you for replying.   

I have OpenVPN setup for my laptop and mobile phone.  How can I have all the clients traffic routed to VPN.  Not just the resources it needs. 

Ok thank you. 

Would you happen to know if it's possible to skip IPS scanning on certain ports or ip address?  Bypass feature? 

Can someone point me to more info on the Pattern Match option for IPS?  I am aware Hyperscan is by Intel and supposed to be the new and fastest option.  Just wanted to have more info on the three.  Thanks.

What does each do exactly?   and is Hyperscan supported on old Xeon Processor?

Default - 
Aho-Corasick -
Hyperscan -