IPS working even if no rules applied?

Hi guys,

This issue kept me for multiple hours busy. I even re-installed IPfire just to make sure it’s not my configuration resp. something that got corrupt. I also did run a ClamAV scan with a boot-USB…

I tried to access www.ey.com and it would always timeout. No entry in IPS log (but rarely resp almost always showing 0 entries there anyways, Talos registered user), checked also in /var/log/suricata.

I tried then different IPS rulesets (SNORT, Emerging), same result. Then I went back to Talos registered user and deselected ALL rules and did a reboot. Same. then I activated “Monitor traffic only” and did a reboot, same effect I get a timeout.

Quite fascinating that “Monitor traffic only” seems to not do what it says…anyways.

Last step was to disable IPS and voila, the site immediately worked.

Any ideas? Why no logs? Why does “Monitor traffic only” not provide me with the same effective result as in “disable” IPS altogether? Why does IPS seemingly block the website access even though no rules at all were selected? Where did I go wrong here? I am super confused. :slight_smile:

It does the same for me! Please enter a bug report:

Information to add a bug report in IPFire Bugzilla: