Hi Devs,
I have to admit I do not know much about the IPS but I think it is a very good and powerful thing.
First of all I want to mention this post which is a bit old but I think it is still valid.
However, I am a home user and regardless of being interested I am not a firewall expert.
So I did what should not be done I activated a few rules and think this is enough.
First Part: Setup
I simply cannot check every rule there is if it is useful or not. For example:
- Read the rule:
ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability - Interpret:
It is from the ActiceX panel so it is something with activex for sure.
Ok it has something to do with Symantec and Calender.
I think I do not have Symantec on my systems but not sure. - Result:
Not Activate it.
Is this the proper way evaluating every rule?
The first example was an easy one but what about this one:
ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow
I simply have no idea if it is a threat for me. FTP ok? but EvansFTP?
I could google it but I honestly do not invest that amount of time.
Never the less I would have to do that for every rule I am uncertain.
So, still activating a few rules and thinking it might be correct
Second Part: Maintenance
An example:
- Something does not work:
That is ok. This is not a company so nobody will yell at me for not being able doing stuff.
And all other persons yeah I do not mind.
When I have time a look around. - Investigating:
And there IPS has blocked it. Yeah, it really works!
It is the rule: ET GAMES Blizzard Web Downloader Install Detected
So I look into games and find it there. I would be easier to show all rules and just search for it via browser search but its ok. I can live with it. - Deactivating:
I deactivate the rule it works. Unfortunately I cannot save the config so I have to manually write down which I deactivated so I can activate it later again if I am not using it anymore.
Conclusion
I wonder how experts do that. Do they know all the rules by heart? Is there anywhere a list which I can take as a reference? I think most people would not activate Steam or Blizzard rules but these rules are at least understandable. I want to make the the firewall better by taking full use of the IPS cause it is there and Devs have invested a lot of time that it works. It would be a pity not using it but after all how can I use it and not activating all rules although I do not understand them completely. I am willing to take the risk and adapting them for a long time (like forever). Having a good start without a huge amount of false positive would still be nice.
Thank you for reading the long post.
PS: Since I moved to IPfire (almost 7 years ago) I am still thinking it was/is the best decision.