IDS event recover?

What does the Intrusion Detection System do when it detects a bad event ?
Does it ring a bell, produce a notice on the root console, reboot the PC, crash, log the bad event in a hidden log file, or call home and hope someone is available ?

No hidden logs! See menu Logs → IPS Logs or:

https://ipfire:444/cgi-bin/logs.cgi/ids.dat

Some rules are alert only (stamps a log entry and nothing else). Other rules Drop the connection and write to the log (Just like firewall does but different log as per Jon’s answer above).

You should ship the logs somewhere like elastic and process them and fire off alerts about proper nasty things :smiley:

My simple cave-man approach uses the swatch addon to monitor /var/log/suricata/fast.log. When a new entry is written to the log, I have swatch send an email containing the new log entry data

[Edit] FWIW the two most popular hits I get are:
https://www.snort.org/rule_docs/1-28556
https://www.snort.org/rule_docs/1-28557

2 Likes

Thanks to C.Brown for the cave-man info re swatch.
I am not familiar /w swatch. Is that a Pakint add on ?
Can you please explain what I must do to set it up as you have to see new entries in the fast.log,
Thanks again.

here is some info about swatch:

1 Like

It’s been a while since I set this up but I basically muddled through the Wiki and did some web searching about.
You would need to get outbound email setup via the WUI “System → Mail Service”.
Grepping through my local files, I have a terribly sophisticated swatch config file
/var/ipfire/suricata/swatch.conf – containing:

watchfor /./
mail addresses=dest-email-addr-here subject=“Firewall Rule Fired”

In file /etc/sysconfig/rc.local, I have the following

/usr/bin/swatch --daemon --config-file=/var/ipfire/suricata/swatch.conf --tail-file=/var/log/suricata/fast.log --pid-file=/var/run/swatch.pid

Edit: I think I’ll change that email subject to something like “Firewall Intrusion Event Triggered”