IPS is not work


(Adam S) #1

Hello everyone.
I noticed that for several days did not work ips. I follow the threads on a forum related to the bug and keep up to date nethserver. Unfortunately, I still have this situation:


Is there any chance that this will be corrected in the future?


(Filippo Carletti) #2

I think that the alert file is empty (i.e. snort didn’t detect a threat) the report can’t set a date.
Your problem is that no snort rules ever fired in those days.
What policy are you using? Could you use the Logfile viewer to access /var/log/snort/alert?
Here’s mine for reference:

03/01-07:49:25.018293  [**] [1:2101129:7] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 193.201.224.40:61588 -> 192.168.5.252:80
03/01-07:49:25.404460  [**] [1:2101129:7] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 193.201.224.40:61654 -> 192.168.5.252:80
03/01-08:32:25.831852  [Drop] [**] [1:2404022:4142] ET CNC Shadowserver Reported CnC Server TCP group 12 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.22:36184 -> 185.30.166.37:6665
03/01-10:12:46.139829  [Drop] [**] [1:2404022:4142] ET CNC Shadowserver Reported CnC Server TCP group 12 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.5:41620 -> 185.30.166.37:6697
03/01-14:25:17.675372  [**] [1:2006402:9] ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 38.100.21.85:39975 -> 192.168.5.252:80

(Adam S) #3

Hello,
I use balanced rule, when i view a log its empty:


(Filippo Carletti) #4

The balanced policy has around 700 rules, mostly to identify outgoing traffic from malware.
You probably don’t have infected systems in your lan.
The security policy adds rules to detect attacks from outside, you may have more alerts in your logs.


(Adam S) #5

I understand that I have to change the policy on security and then snort will have a chance to detect events from the red network, and it should appear in the logs? and balanced is rather designed for scanning outbound traffic? :slight_smile:


(Filippo Carletti) #6

Yes. Or create a custom Expert profile.
Here’s the official snort faq:
https://www.snort.org/faq/why-are-rules-commented-out-by-default


(Adam S) #7

Thank you for your help I did not know about it. Just one more question. As shift rule to the security and snort block traffic that is legit if I can somehow unscrew and manually unlock a locked host because I do not see anywhere panel to control this.


(Filippo Carletti) #8

snort never locks an host. It may drop a malicious connection. There’s no option to bypass snort analysis.


(Adam S) #9

Okey thanks.