Page 1 of 6 123 ... LastLast
Results 1 to 10 of 56

Thread: IDPS Rules list

  1. #1
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default IDPS Rules list

    Hi, I know that they generally recommend around these parts to slowly enable rules for blocking and test to see how that affects legitimate traffic. The thing is, there are over 30,000 rules, and it would be awesome if someone could upload their configuration, and I could use that to further tweak according to my needs.

    Is there any repository where I can download that, or can someone be so gracious as to upload their's?

    Thanks in advance!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,802

    Default

    It's unlikely someone else's block list will fit your network traffic equally. The best practice is to review the flagged list in reports, evaluate flagged rules for false positives and then if needed set block for rules which have no false positives (rare on home networks).
    Last edited by jcoffin; 03-21-2018 at 03:06 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Thank you very much for the reply.

    I agree that it won't be an exact fit for our network use case, but it definitely would be better than enabling all 30,000 rules. There are rules that shouldn't be there in the first place at this point in time, I think. It's much easier to work with something that already works for a network and doesn't block DNS queries, and ping etc, and tweak that to get it to work for your purposes, than to enable all 30,000 rules and spend hours disabling rules to get things to work.

  4. #4
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I personally think that's the wrong way to look at the task. Consider that of the 30,000 rules, only just under 20,000 are set to log in a default configuration. And of those 20,000, I have selected, based on actual activity, a little over 200 to block. I wouldn't dream of mass selecting even the logged rules.

    And I distrust a shortcut approach to the IPS app. I think it has to be intentionally and thoughtfully managed to meet any useful network protection goal. And by doing so, it's possible to learn what really matters and what doesn't. Because under normal circumstances (no intrusion has been achieved), LAN-side false positives abound. By becoming familiar with what a healthy network looks like in a given circumstance, the anomalies become more vivid.

  5. #5
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Thank you for your reply. I appreciate your input and understand what you are saying, but for example, why wouldn't you block all those rules that target individual exploits etc. There are a nice few thousand of those.

  6. #6
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    My first priority (and this is a reason why my list may not be satisfactory to you--it reflects my priorities) is using the app to block known or suspected bad actors. I look for that activity in my reports. I also look for activity to SQL ports, even though the only public facing device I have that uses SQL is Untangle itself. I have a couple other targets that I watch for. Those are my first priority, my interest. Bad actors get excluded to the extent that I'm able to exclude them.

    My interest in specific exploits reflects my knowledge of how my network gets used, what it gets exposed to. I watch what's going on with Web Filter and to a lesser extent the Virus Blocker apps. Since I personally prefer to use the IPS app thoughtfully, I don't rely on it exclusively.

    I could go on, but by now you probably get the idea. I use the IPS app not as big hammer, but as a supplement to what the rest of Untangle is doing. That's my approach. It likely wouldn't satisfy you, and would likely make my list uninteresting and unhelpful to you. I suspect that the majority of us here, those of us who are not security professionals, will exhibit similar shortcomings. After all, the professionals generally discourage the use of the IPS app altogether.

  7. #7
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    Quote Originally Posted by Sam Graf View Post
    After all, the professionals generally discourage the use of the IPS app altogether.
    Thank you very much for your reply. Just a question. Why do you say security professionals discourage use of IDPS systems? From what I've heard, read, and seen, it's a very useful tool. Obviously you have to monitor the logs, and it's not just set it and forget it, but it still is very useful.

  8. #8
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I mean the ones active here, including Untangle staff. They don't deny the usefulness of the app as a tool, but they do deny that most Untangle users will benefit from employing it.

    I'm old, so I just do what I want to do anyway.

  9. #9
    Untangler
    Join Date
    Feb 2018
    Posts
    79

    Default

    I noticed that attitude prevalent here, but I don't see how that attitude matches up with real world results.

  10. #10
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I think I understand the source and causes of that attitude, and it's probably broadly justified. The payoff from the expenditure of server resources is probably negligible more often than not if for no other reason than because the IPS app requires regular attention.

    But there is no better way within Untangle, in my view, to have some detailed knowledge of whose's knocking on the network's front door and what might be trying to get out and make messes elsewhere. It's interesting to watch the IPS reports on new networks, before anything is running inside and so uncluttered by the usual false positives. That's just me.

Page 1 of 6 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2