Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 45
  1. #31
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Quote Originally Posted by sky-knight View Post
    Which brings us to the fact that all system apps need an internal means to bypass just that app for specified traffic.
    Completely agree.

  2. #32
    Newbie
    Join Date
    Dec 2017
    Posts
    2

    Default

    Woke up to my morning IPS report going from a normal equal Monitor/Block to a complete overhaul of a lot of monitoring and NO blocking. What the heck? I had over 231 block signatures but now down to 0. Did the new 14.1 reset all my configurations? And now, after reviewing the signatures, I cant even set them to block. What happened? Is this a feature? Praying it isent as this is a reminder of Windows NT 4.x days of updates wiping configurations.

    Bob

  3. #33
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,809

    Default

    It's in the change log.

    https://wiki.untangle.com/index.php/...ion_Prevention

    All new IPS engine and rules. There was no way to transition the previous settings.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #34
    Newbie
    Join Date
    Dec 2017
    Posts
    2

    Default

    Thank you for the wiki. Is there a How-To to support this Wiki? I just did a Add Signature looks like I did a broad brush stroke on the categories and stopped traffic. Please provide alittle more detail How-To. Thank you

  5. #35
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,809

    Default

    It's best not to add signatures. Use rules to set groups to block as needed. Wik is the same as before for IPS. Click on question mark icon at the top of the window while in IPS and it will take you straight to the wiki page.

    It was also covered in the webinar a couple of weeks ago. https://www.youtube.com/watch?v=Zm_OHqO1djY
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #36
    Master Untangler
    Join Date
    Apr 2010
    Posts
    116

    Default

    I must say that I'm really struggling to fine tune the IPS. It's very difficult to tune it on the signature level. It's not even that easy to tune it on the classtype/category level as when the rules are combined the results are often unexpected. I think I have already had to delete everything three times to start from scratch.

    Creating a single rule for a single signature exception is a huge work. It also creates a super huge mess of rules. It's also lot's of work because in addition of having to create a rule with all the parameters you also have to copy a signature name and ID for each exceptions.

    There just needs to be a better way to quickly disable unnecessary single signature or blocks of signatures.

    There's also need to combine several signature ID's into a single rule. It's obviously also somewhat bad approach as if you do not name your signatures properly or later you will have no idea what the id's are.

    firefox_2018-12-13_10-56-33.pngfirefox_2018-12-13_10-57-13.png

  7. #37
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by MechanicalThinker View Post
    I must say that I'm really struggling to fine tune the IPS.
    In my enthusiasm for the new system I've had some of the same thoughts.

    So looking at this from Untangle's point of view on several fronts, let's consider specific suggestions for improvement on the fine tuning front. I'm just going to think out loud. There are no firm ideas here, just things to discuss.

    There does seem to be a way to create a rule combining several signatures, though maybe this isn't what you had in mind.
    Screenshot-2018-12-13 Graf Home Network - gateway.png

    Let's say I want to build a rule combining signatures beginning with 2009, but there are two things I want to be able to address. First of all, it's just possible that my net will snag signatures not starting with 2009.
    Screenshot-2018-12-13 Graf Home Network - gateway(1).png

    I need a way to exclude those signatures. And here's the first dilemma: The idea is to stay away from signatures. So how to do that? Refine my search by one or two numbers? It that the best approach given the tools at hand?
    Screenshot-2018-12-13 Graf Home Network - gateway(2).png

    That still does not let me address unwanted blocks of a single signature or selection of signatures, so I'm going to have to search on the criteria I need to create an action rule for those signatures and rely on rule order to help me, since I can't build a rule from reports that are already blocked.

    Have we made any progress?

    The other thing that I think might be helpful either as a separate idea or one combined with what I've just been thinking is the ability to easily disable a signature. Suppose I don't care about a signature in my network context; logging would just be noise. So now it would be nice to be able to do my signature search and have the option, somehow, of disabling signatures. I can't really have the granularity of other action options here because I think that's going to complicate or break the simple search-based rule making process. But if I could outright disable a signature, it wouldn't bother me anymore even if it was included in the rule.

    Are we making any progress at all?

    Regrettably, I think how an admin approaches the IPS app is going to matter here, and I don't think there is just one sensible approach. But if we take to heart the idea that the recommendation is we work primarily with classtypes, we eventually have to have a way to improve granularity or breaking things seems inevitable. How that level of granularity is best achieved in ways aligned with Untangle's development goals (which seem to me defensible) is the real question, including the thought that we may want the ability to bypass devices in the IPS app context only without resorting to using Untangle policies.

    Or, just pull the plug on the IPS app and let NAT and other apps do all the protecting.
    Last edited by Sam Graf; 12-13-2018 at 08:44 AM.

  8. #38
    Newbie
    Join Date
    Sep 2017
    Location
    San Diego, CA
    Posts
    14

    Default

    I'm liking the new IPS so far and its potential with rules and streamlined approach. Good job guys!

    Does anyone use the trojan-activity class type? I see that it is not in the default block rules and I'm curios why. I also see a lot of signatures are disabled in that class but still aren't some good or is it too much risk of blocking legit traffic?

  9. #39
    Newbie
    Join Date
    Sep 2017
    Location
    San Diego, CA
    Posts
    14

    Default

    Quote Originally Posted by MechanicalThinker View Post
    I must say that I'm really struggling to fine tune the IPS. It's very difficult to tune it on the signature level. It's not even that easy to tune it on the classtype/category level as when the rules are combined the results are often unexpected. I think I have already had to delete everything three times to start from scratch.

    Creating a single rule for a single signature exception is a huge work. It also creates a super huge mess of rules. It's also lot's of work because in addition of having to create a rule with all the parameters you also have to copy a signature name and ID for each exceptions.

    There just needs to be a better way to quickly disable unnecessary single signature or blocks of signatures.

    There's also need to combine several signature ID's into a single rule. It's obviously also somewhat bad approach as if you do not name your signatures properly or later you will have no idea what the id's are.
    I agree that it is not good to take away fine controls for those who need it. This is definitely tedious to say the least. What about changing the Sig ID to a INT Matcher? Then you can specify a list or range or both.

    Another idea is adding the Rule ID as a column in IP Reports. Then you can know which rule is the source of the Logging/Blocking
    Last edited by dhatch; 12-13-2018 at 09:39 AM.

  10. #40
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by dhatch View Post
    What about changing the Sig ID to a INT Matcher? Then you can specify a list or range or both.
    Yeah this is good idea.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 4 of 5 FirstFirst ... 2345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2