How I test IPS engine blocking

Started by someone, October 15, 2024, 02:45:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2024, 02:45:25 AM
How I test suricata engine rule drop
Go to Services-Intrusion Detection-Administration-User Defined
Click the plus button to make a rule
Enter 8.8.8.8 in Destination Ip
Set to drop, description Dest8.8.8.8 and save
Click make rule again
Enter 8.8.8.8 in Source ip
Set to drop, description source8.8.8.8 and save
Click apply and wait 5 minutes
Open a command terminal and enter ping 8.8.8.8 and press enter
Wait 5 seconds and press cntl c to stop
Go to alerts and the log file with box set to informational
You will see it blocked 8.8.8.8 as the destination
It never left the wan
Delete Dest8.8.8.8 rule, click apply, wait 5 minutes
Ping 8.8.8.8 again for 5 seconds and press cntl c to stop
Check alerts tab and the log file with informational box set
You will see it blocked source 8.8.8.8
Delete source 8.8.8.8 rule click aplly wait 5 minutes
You are back to normal
If you downloaded the opnsense.rules file
The rules would look like this
alert ip   8.8.8.8  any ->  any  any (msg:"8.8.8.8_source";  sid:4294967294; rev:1;)
alert ip   any  any ->  8.8.8.8  any (msg:"8.8.8.8_Dest";  sid:4294967293; rev:1;)
Notice it says any any and not $HOME_NET, not $EXTERNAL_NET
The first any is for IP, second is for port
I have a policy running to set all alerts to drop
Thats why it was blocked and because IPS is enabled
IF only IDS is enabled it would just give alerts
Thanks

Or can enter the rules in opnsense.test.rules manually
I put all my rules here because they will not be rewritten on reboot
And I save a copy to use on next installation
October 15, 2024, 02:51:47 AM #1 Last Edit: October 15, 2024, 03:00:22 AM by someone
Disregard this if you have not set $HOME_NET to any
in emerging.icmp-info.rules

Note: disable rule 2100366 first
It will alert on pings
It will block if you set it to drop
November 07, 2024, 08:37:36 AM #2
Quote from: someone on October 15, 2024, 02:51:47 AM
Disregard this if you have not set $HOME_NET to any
in emerging.icmp-info.rules Undertale Yellow

Note: disable rule 2100366 first
It will alert on pings
It will block if you set it to drop
Entering strings of characters continuously is a bit tricky, can you explain it in more detail?
November 12, 2024, 12:46:31 AM #3
I was explaining how to test if your IPS engine in suricata is working using the user defined rules in the IPS gui
That tests that the engine is running and working
It tests your new rule
It doesnt test the rulesets
Print
Go Up Pages1
User actions