IPS preceded too little

Security Intrusion Prevention
1

Hello,

since I switched on the IPS, I sometimes have problems with connections (e.g. Linux updates). Unfortunately, there are no reports in the logs of IPS, but it can clearly lead it back to them (switch off and it works).

Is it possible to revise this log and display more hits?

Greetings, Tobi

1 Like
2

Are you using apt-get for updates.

If yes then maybe you have selected the IPS ruleset that blocks all apt-get commands that are sent out.

Do have the Emergingthreats.net Community Rules provider selected?

If yes then do you have the emerging-policy.rules ruleset selected?

If yes, then this ruleset has the
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
rule selected by default and this blocks any attempts to download package updates.

Deselect that rule or deselect the whole emerging-policy.rules ruleset unless you have reviewed all the policy items that are selected by default and they match up with your policy requirements.

1 Like
3

Thanks for your input.

I am currently using Talos VRT control set for registered users, PT Attack Detection Team Rules and Abuse.ch SSLBL Blacklist Rules. Try to identify the culprit in the rule.

Nevertheless, it would of course be helpful if a corresponding message would appear in the log …

4

Screen Shot 2023-11-25 at 9.49.26 PM
Screen Shot 2023-11-25 at 9.49.26 PM1349×809 112 KB

Are the logs blank? If they are not it would be helpful to post the logs or post a screenshot at the same time you experience the problem.

5

If the IPS is blocking something then the rule(s) that were triggered will be logged in the place @jon showed.

Mine shows the following for yersterday:-

Screenshot_2023-11-26_08-13-06
Screenshot_2023-11-26_08-13-06984×511 54.1 KB

and the logs show the rule name that was triggered.

6

Yes, the logs are unfortunately empty, hence this thread.

But there are also days where something is documented, but then (similar to @bonnietwin ) there are bad traffic from outside.

Unbenannt
Unbenannt933×295 37.3 KB

7

If the IPS log is empty from when you had a problem downloading updates then IPS is unlikely to have caused the problem.

IF the IPS is enabled and the green and/or red interfaces are enabled and there are no logs then this indicates that the IPS has not found any traffic to block.

8

I agree with you completely, I would expect it too.

But I can attribute it to this function:

  • IPS ON on red → updates are blocked
  • IPS OFF on red → updates run
  • IPS ON on red with exceptions → updates run

Nevertheless, the logs remain empty…

Or influences IPS also the proxy (updates accelerator)?