I have to admit I do not know much about the IPS but I think it is a very good and powerful thing.
First of all I want to mention this post which is a bit old but I think it is still valid.
However, I am a home user and regardless of being interested I am not a firewall expert.
So I did what should not be done I activated a few rules and think this is enough.
First Part: Setup
I simply cannot check every rule there is if it is useful or not. For example:
- Read the rule:
ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability
It is from the ActiceX panel so it is something with activex for sure.
Ok it has something to do with Symantec and Calender.
I think I do not have Symantec on my systems but not sure.
Not Activate it.
Is this the proper way evaluating every rule?
The first example was an easy one but what about this one:
ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow
I simply have no idea if it is a threat for me. FTP ok? but EvansFTP?
I could google it but I honestly do not invest that amount of time.
Never the less I would have to do that for every rule I am uncertain.
So, still activating a few rules and thinking it might be correct
Second Part: Maintenance
- Something does not work:
That is ok. This is not a company so nobody will yell at me for not being able doing stuff.
And all other persons yeah I do not mind.
When I have time a look around.
And there IPS has blocked it. Yeah, it really works!
It is the rule: ET GAMES Blizzard Web Downloader Install Detected
So I look into games and find it there. I would be easier to show all rules and just search for it via browser search but its ok. I can live with it.
I deactivate the rule it works. Unfortunately I cannot save the config so I have to manually write down which I deactivated so I can activate it later again if I am not using it anymore.
I wonder how experts do that. Do they know all the rules by heart? Is there anywhere a list which I can take as a reference? I think most people would not activate Steam or Blizzard rules but these rules are at least understandable. I want to make the the firewall better by taking full use of the IPS cause it is there and Devs have invested a lot of time that it works. It would be a pity not using it but after all how can I use it and not activating all rules although I do not understand them completely. I am willing to take the risk and adapting them for a long time (like forever). Having a good start without a huge amount of false positive would still be nice.
Thank you for reading the long post.
PS: Since I moved to IPfire (almost 7 years ago) I am still thinking it was/is the best decision.