IPS doesn't seem to work

Getting Started with IPFire
1

Hi,

I have problems getting IPS to work:

IPS Activated and enabled on Red, Green and OpenVPN. I use the Emergingthreads.net Community Rules and have some catagories activated.

ips
ips944×792 49.3 KB

Anyhow in the IPS log it says 0 rules are active.

What am I doing wrong?

Greetings
Arne

2

Hi,

where do you read this message?

Are you perhaps running Core Update 162 (testing)? If so, please refer to this thread.

Thanks, and best regards,
Peter Müller

3

Thanks for your reply. I’m running 161 and the message shows up under Logs/IPS Logs:

Screenshot 2021-12-14 174135
Screenshot 2021-12-14 1741351004×420 34.8 KB

4

Hi,

this is a misunderstanding then: “Activated rules” refers to triggered rules (sometimes also called “rule hits”) here. You can check whether your IPS is actually working by trying to trigger rules manually (such as conducting a portscan), or executing this command on a machine behind IPFire:

curl http://testmyids.com/

If you enabled the emerging-attack_response.rules category, you should see a hit afterwards. Should your IPFire be connected to the internet directly, you should see tons of IPS rules triggered within a short time (usually less than a minute).

Thanks, and best regards,
Peter Müller

2 Likes
5

Thanks for your reply Peter.

The IPFire is locate behind a Telekom router. And I never had any activities at all in the log. Tried the following from a PC behind the IPFire but also nothing in the log:

Screenshot 2021-12-14 180730

Anyhow not all rules under ‘emerging-attack_response.rules’ are activated by default when I check it.

6

Hi,

oh, so you either have a very clean network, or the IPS did not detect anything. :slight_smile:

Ah yes, apparently, this service moved to HTTPS now, which the IPS cannot intercept. This is why the string you get in return does not trigger anything anymore. :expressionless:

To provoke an IDS hit, could you try a portscan instead?

nmap -v -A [destination]

should be sufficient if the emerging-scan.rules category is enabled.

Yes, this is intended. Not all rules are enabled by default. IPFire does not interfere here, the provider of IPS rules chooses whether they come enabled or disabled.

Thanks, and best regards,
Peter Müller

1 Like
7

Hi @gr0mit.

If you activate the DMZ Host on the Router so that all internet requests are sent to the WAN interface of the IPFire, you will see the amount that reaches you.

Try ir and say Us.

Regards.

8

Hi Roberto,

I thought so as well, but perhaps that isn’t possible or desired in @gr0mit’s scenario…

Anyway, let’s wait for his reply… :slight_smile:

Thanks, and best regards,
Peter Müller

9

Finally getting some entries in the log with nmap:

Screenshot 2021-12-14 184916
Screenshot 2021-12-14 184916771×391 61.9 KB

Does it make sense to activate the DMZ host on the Lancom router and to forward the traffic directly to IPFire?

Anyhow thanks for the help so far!

1 Like