I have the Talos Registered ruleset activated for several days and have not received a single hit in the IPS logs. I tried downloading an EICAR test file because one of the rules in one of the rulesets (POLICY-OTHER) is for this. My A/V blocked it, but after I whitelisted it in the A/V, it still downloaded fine.
Is there another simple way I can verify that the rules are actually working?
Two reasons the EICAR test may fail β 1) grep through the rule files in /var/lib/suricata to see if there are other rules that need to be enabled to catch the EICAR test file β seems I had to do this in the past; 2) if the EICAR test file is fetched via https β note the βsβ β the data is encrypted and not visible at the firewall
It would be nice if there were a way to switch the Talos βpolicyβ to max-detect-ips temporarily to verify that IPS is actually functioning.
Edit: FWIW, I modified /var/ipfire/suricata/oinkmaster-modify-sids.conf changing policy from balanced-ips to max-detect-ips and then ran update-ids-ruleset. After that, alerts started firing big-time.
Edit2: This will break things like DNS β had to use IP Address rather than hostname to get back into firewall to switch policy back.
.
Edit3: I have switched to policy security-ips and that seems to be very quiet β only a few hits here and there