Test IPS functional

deputycag · November 30, 2017, 01:56:20 PM

I have been running IPS inline. Recently added the snort VRT rules. How do you guys test to see if the IPS is blocking rules? I do not see anything in my alerts except the country blocking rules I have setup.

deputycag · November 30, 2017, 02:28:21 PM

I have tried http://www.wicar.org/test-malware.html and tested CVE-2014-6332. These rules are enabled under emerging-exploit.rules and I do not see the alerts at all.

fabian · November 30, 2017, 05:04:33 PM

the opnsense test ruleset includes EICAR. If IPS is enabled on your LAN (not WAN), it should block the download.

deputycag · November 30, 2017, 05:16:55 PM

That worked. Blocked. So why is the exploit rules for CVE-2014-6332 not blocking when they are enabled?

fabian · November 30, 2017, 05:43:38 PM

Maybe you have not downloaded them or the rule does not match. Can't tell you from here.

deputycag · November 30, 2017, 05:51:56 PM

It downloads because my local virus scanner finds it on desktop. So it's passing firewall.

franco · December 02, 2017, 03:40:14 PM

You need to tell us more about your setup, specifically your WAN and LAN subnets and how you configured HOME_NET in the intrusion detection (if any).

Cheers,
Franco

Test IPS functional

deputycag

November 30, 2017, 01:56:20 PM

deputycag

November 30, 2017, 02:28:21 PM #1

fabian

November 30, 2017, 05:04:33 PM #2

deputycag

November 30, 2017, 05:16:55 PM #3

fabian

November 30, 2017, 05:43:38 PM #4

deputycag

November 30, 2017, 05:51:56 PM #5

franco

December 02, 2017, 03:40:14 PM #6