Analyze EveBox Alerts

,

NethServer Version: 7.4
Module: EveBox/IPS

Hello everyone,
I need some help to analyze the alerts of EveBox. I’ve set all categories to “Alert” a few days ago and now I want to block malicious activities.
It’s a school and I need to block this activities without blocking the proper operation of software used.
I’ve configured some rules of port forwarding for FTP, SSH, RDP, HTTP, IMAP, SMTP and KVM.
Thanks.

https://mail.iisvittuone.it:980/50d9330e969a543c74cfc3227f3a4cd2c3beb9af/#/inbox
If I give you this link, you can visualize all the alerts?

Federico Ballarini

First off, when looking at rules that are triggered by traffic you must view them in context.
For instance some traffic going or coming from a mail server may be acceptable, but the same rules triggered on a client may not.

NethServer is configured also as a mail server (192.168.1.2 red interface, 192.168.8.1 green interface)
There are two servers 192.168.8.3 (debian) and 192.168.8.4 (windows server 2016) virtualized on KVM (NethServer 6.9 - 192.168.8.5).
Other IPs are all PCs, printers and access point.

For instance, someone there using windows 10 and the chrome browser downloaded the gimp image editing program… hardly a big deal and that’s why the rule it triggered is a policy rule, as in what’s allowed on the network.

Well, my first question is… do you know what you’re looking at or have you just turned on the ids module and don’t really understand how to interpret the logs?
We can help you but we need to know your knowledge level to minimize confusion.

I’m disoriented from the new aspect of the module… before was more simple. I’m a student and I have redesigned my school’s network. My knowledge are minimal and I have so much to learn: I think to be in the right place.

If I understand it well, IPS is an Intrusion Prevention System that can block malicious and suspected traffic to protect all the local network.

@federico.ballarini don’t be scared, there’s a lot of material to study on IDS. Use google, search for suricata and emerging threats.
Come back here in a few days if you still have doubts.

Do you have the web proxy / web content filter installed?
Those are modules that’ll probably serve your network usage policy better.

Do you need help with all alerts? It would be easier if you just post the alerts that not clear…
What if you just block all and when there are problems unblock again?

Yes, I have enabled Proxy and Web Content Filter.
Do you think that I have to uninstall IPS?

This can be a way, but I won’t have too much problem blocking services that I haven’t to block.

I have uninstalled IPS. If there are some problems, I will reinstall it.
Thanks.

Here is one that’s bad. This is why ips is a useful module but one that’s used to complement your network management.

{
  "_id": "5448",
  "_source": {
    "alert": {
      "action": "allowed",
      "category": "Potential Corporate Privacy Violation",
      "gid": 1,
      "rev": 1,
      "severity": 1,
      "signature": "ET POLICY Request for Coinhive Browser Monero Miner M2",
      "signature_id": 2024786
    },
    "dest_ip": "192.168.1.2",
    "dest_port": 38822,
    "event_type": "alert",
    "flow_id": 883910505323868,
    "geoip": {
      "continent_code": "EU",
      "coordinates": [
        9.491,
        51.2993
      ],
      "country_code2": "DE",
      "country_name": "Germany",
      "ip": "94.130.129.235",
      "latitude": 51.2993,
      "longitude": 9.491
    },
    "proto": "TCP",
    "src_ip": "94.130.129.235",
    "src_port": 443,
    "tags": [],
    "timestamp": "2017-10-25T13:21:18.324682+0200",
    "tls": {
      "sni": "coinhive.com",
      "version": "TLS 1.2"
    }
  }
}