I have the Talos Registered ruleset activated for several days and have not received a single hit in the IPS logs. I tried downloading an EICAR test file because one of the rules in one of the rulesets (POLICY-OTHER) is for this. My A/V blocked it, but after I whitelisted it in the A/V, it still downloaded fine.
Is there another simple way I can verify that the rules are actually working?
Two reasons the EICAR test may fail – 1) grep through the rule files in /var/lib/suricata to see if there are other rules that need to be enabled to catch the EICAR test file – seems I had to do this in the past; 2) if the EICAR test file is fetched via https – note the ‘s’ – the data is encrypted and not visible at the firewall
It would be nice if there were a way to switch the Talos ‘policy’ to max-detect-ips temporarily to verify that IPS is actually functioning.
Edit: FWIW, I modified /var/ipfire/suricata/oinkmaster-modify-sids.conf changing policy from balanced-ips to max-detect-ips and then ran update-ids-ruleset. After that, alerts started firing big-time.
Edit2: This will break things like DNS – had to use IP Address rather than hostname to get back into firewall to switch policy back.
Edit3: I have switched to policy security-ips and that seems to be very quiet – only a few hits here and there
Thank you. I actually found an unencrypted EICAR download link on this page:
And verified that the IPS blocks the download.