IPS and National Aust Bank

,

NethServer Version: 7.5.1804
Module: nethserver-suricata-1.1.1-1.ns7.noarch, nethserver-suricata-1.1.1-1.ns7.noarch
These look like great tools and on the whole work well but we have a case where they can log into the bank etc but it will not load a table of transactions. Other banks are OK but not NAB. Turn off IPS and NAB is OK.
Have only a limited set of filters on tor, mobile-malware, botcc, CIArmy, malware, worm, games and scan.
Do we have trap TCP packets to see what ports are coming into play? Is that the best place to start?
Can site be exempted in the IPS?

Hi @compsos,
I think this is the best way. Or, call your bank and ask which ports do you need to open.
We had the same problem with our bank (but not with NS, with other UTM).
Usually, for outgoing connections, I open only which ports I need.
I had to call the bank to ask which ports I need to open on UTM to use online banking software.

The strange thing with this is that we get through the secure login just a particular function further in. My 1st hunch is that all required ports should be open by this stage and the issue is just something in the code that trips it out. Can we debug log IPS?

You may check which IPS rule blocks with Evebox in Applications:

http://docs.nethserver.org/en/v7/suricata.html#evebox

We are also seeing this in relation to certificate letsencrypt
Failed authorization procedure. srv.compsos.com.au (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain ::
The IPS looks like it does some fantastic work but is looking like a memory hog and needs ways to allow the system to be “usable”
What override controls are available. The manual list the categories and their respective pages a list of IPs (in some cases) but no configuration settings.
Would just setting modules to alert expose if a category is the blocking culprit?

Yes, that’s a way to go or look which rule is responsible for the block in Evebox or /var/log/suricata/fast.log and set it to Alert/Disable in IPS settings.

1 Like