OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention (Moderator: fabian) »
  • Test IPS functional
« previous next »
  • Print
Pages: [1]

Author Topic: Test IPS functional  (Read 1390 times)

deputycag

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Test IPS functional
« on: November 30, 2017, 01:56:20 pm »
I have been running IPS inline.  Recently added the snort VRT rules.  How do you guys test to see if the IPS is blocking rules?  I do not see anything in my alerts except the country blocking rules I have setup.

Logged

deputycag

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Test IPS functional
« Reply #1 on: November 30, 2017, 02:28:21 pm »
I have tried http://www.wicar.org/test-malware.html and tested CVE-2014-6332.  These rules are enabled under emerging-exploit.rules and I do not see the alerts at all. 
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 1709
  • Karma: 129
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Test IPS functional
« Reply #2 on: November 30, 2017, 05:04:33 pm »
the opnsense test ruleset includes EICAR. If IPS is enabled on your LAN (not WAN), it should block the download.
Logged

deputycag

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Test IPS functional
« Reply #3 on: November 30, 2017, 05:16:55 pm »
That worked.  Blocked.  So why is the exploit rules for CVE-2014-6332 not blocking when they are enabled?
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 1709
  • Karma: 129
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Test IPS functional
« Reply #4 on: November 30, 2017, 05:43:38 pm »
Maybe you have not downloaded them or the rule does not match. Can't tell you from here.
Logged

deputycag

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Test IPS functional
« Reply #5 on: November 30, 2017, 05:51:56 pm »
It downloads because my local virus scanner finds it on desktop.  So it's passing firewall. 
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 8069
  • Karma: 531
    • View Profile
Re: Test IPS functional
« Reply #6 on: December 02, 2017, 03:40:14 pm »
You need to tell us more about your setup, specifically your WAN and LAN subnets and how you configured HOME_NET in the intrusion detection (if any).


Cheers,
Franco
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention (Moderator: fabian) »
  • Test IPS functional
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2