IPS Testing Option?

[RBoynton]

Thank you for the improvement in IPS, guys. I see the need for IPS, but don't have a lot of experience with it.

To help new admins ensure the IPS setup is correct, it would be very helpful to have a testing option within the module to notify the sysadmin (via SNMP, email, or at the least via the event log) of a potential problem while the rules are active. With the testing option selected, those rules which are enabled would be used to evaluate traffic but would not block any sessions. This would allow the sysadmin to tune the rules for their network in a testing mode while not impacting traffic. Once the testing option is unchecked, the module will then take action on the traffic based on the selected rules.

[cblaise]

Thanks for checking it out!

What you're asking for is how the Log functionality for a rule operates. It simply detects a rule's "hit", logs it to the event log, but does not affect traffic at all.

To affect the traffic by stopping it, you can enable Block for a rule.

By default, no rules are ever marked Block by the system (e.g.,Setup Wizard, updated rules), only Log.

[Jim.Alles]

To more clearly define this request, I would like to see a firewall module style [all events / flagged / blocked] filter capability (but always logging everything might well be a burden), OR a single checkbox for log all (rule testing).

checking all of those checkboxes would be painful.

Thanks, though for the effort!

[jcoffin]

It was done on purpose. A check all function would bring most boxes to grinding slow pace. Just think of all those regex functions processing on all the sessions!