Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS rules that wont cause issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS rules that wont cause issues (Read 2078 times)
N0_Klu3
Jr. Member
Posts: 93
Karma: 2
IPS rules that wont cause issues
«
on:
May 23, 2020, 10:38:39 pm »
I’m looking to enable IPS but wanted to check which rule sets will work without causing too many false positives?
Is there somewhere I can get some default rules to enable?
I really like the snort rules where you can choose Balanced or Secure or what not.
I really with ET had these options, so I’m kinda looking for something like this if possible?
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: IPS rules that wont cause issues
«
Reply #1 on:
June 25, 2020, 01:54:17 am »
Have a good read of this;
https://forum.opnsense.org/index.php?topic=6590.0
That's a useful start.
Also.. think about what your protecting...
Example:
If you don't have an SQL server exposed via a web server and a web server, then, maybe you don't need these rules;
ET telemetry/emerging-web_server
ET telemetry/emerging-sql
Logged
FullyBorked
Sr. Member
Posts: 343
Karma: 24
Re: IPS rules that wont cause issues
«
Reply #2 on:
July 19, 2020, 02:35:08 am »
In my experience to really tune your IPS/IDS and get the most benefit from the feature, you'll need to do the following.
Enable the rules you want, (I enable them all), but leave them in alert mode.
Then over the next week or so check in on things on the alert tab, and disable rules that are false positives or that are blocking things you don't think need or want to be blocked.
After a few weeks you should have your alerts list down to no alerts or very few.
Then you can enable blocking for the remaining rules.
As rules are updated you'll always have to keep track of the IPS/IDS rules and adjust them over time.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS rules that wont cause issues