Intrusion Prevention System - How to?

Hi Devs,

I have to admit I do not know much about the IPS but I think it is a very good and powerful thing.

First of all I want to mention this post which is a bit old but I think it is still valid.

However, I am a home user and regardless of being interested I am not a firewall expert.
So I did what should not be done I activated a few rules and think this is enough.

First Part: Setup

I simply cannot check every rule there is if it is useful or not. For example:

  1. Read the rule:
    ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability
  2. Interpret:
    It is from the ActiceX panel so it is something with activex for sure.
    Ok it has something to do with Symantec and Calender.
    I think I do not have Symantec on my systems but not sure.
  3. Result:
    Not Activate it.

Is this the proper way evaluating every rule?
The first example was an easy one but what about this one:
ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow
I simply have no idea if it is a threat for me. FTP ok? but EvansFTP?
I could google it but I honestly do not invest that amount of time.
Never the less I would have to do that for every rule I am uncertain.
So, still activating a few rules and thinking it might be correct

Second Part: Maintenance

An example:

  1. Something does not work:
    That is ok. This is not a company so nobody will yell at me for not being able doing stuff.
    And all other persons yeah I do not mind.
    When I have time a look around.
  2. Investigating:
    And there IPS has blocked it. Yeah, it really works!
    It is the rule: ET GAMES Blizzard Web Downloader Install Detected
    So I look into games and find it there. I would be easier to show all rules and just search for it via browser search but its ok. I can live with it.
  3. Deactivating:
    I deactivate the rule it works. Unfortunately I cannot save the config so I have to manually write down which I deactivated so I can activate it later again if I am not using it anymore.

Conclusion

I wonder how experts do that. Do they know all the rules by heart? Is there anywhere a list which I can take as a reference? I think most people would not activate Steam or Blizzard rules but these rules are at least understandable. I want to make the the firewall better by taking full use of the IPS cause it is there and Devs have invested a lot of time that it works. It would be a pity not using it but after all how can I use it and not activating all rules although I do not understand them completely. I am willing to take the risk and adapting them for a long time (like forever). Having a good start without a huge amount of false positive would still be nice.

Thank you for reading the long post.

PS: Since I moved to IPfire (almost 7 years ago) I am still thinking it was/is the best decision.

1 Like

Well I use the IPS and it works for me fine.
What I did in following the recommendations from ms is to make my decision on a category base at first. F.e. no ftp rules if they are blocked by the firewall.

That helped me to have an IPS system running with a moderate hit rate and seems to be pretty safe.But I run only standard applications (no games).

Hi @ip-mfg ,

Thanks for the feedback.

Yes I have the same ideaā€¦ Iā€™m beginning with IpFire
First I read the explanation of each rule from https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

After I try to apply one by one which are concerned, for example about malware first and so on
But in parallel I monitor log and CPU usage

BR

There is also some info here wiki.ipfire.org - Rule Selection and here blog.ipfire.org - IPS configuration recommendations for IPFire users