Page 1 of 5 123 ... LastLast
Results 1 to 10 of 45
  1. #1
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Thumbs up The new IPS in 14.1

    I finally have an upgraded box where I can play with the new IPS. At first I was a little baffled but after doing some homework (thanks especially to dmorris for his thoughtful overview in the 14.1 webinar) it all started to come together for me. There are a couple things I'm still not sure about, but I'm getting there.

    I'd like to thank the Untangle development team for their obvious and productive effort at addressing IPS app feedback. Good work!
    miles267 likes this.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Thanks! I will pass along your comments. Especially to the guy who did almost all of the design and implementation. (cblaise)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    138

    Default

    Thanks Sam!

  4. #4
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    You're very welcome.

    I have one specific question so far. I decided to start and think IPS from scratch, so I reinstalled the IPS app on my home server (where I can play freely). After rethinking some things and doing some reading, I resumed part of an old habit by deciding I want absolutely nothing to do with machines in the "compromised" and "dshield" categories. Using the amazing search feature, I looked over the impact of a category-based block and then created two category-driven block rules (sweet!). It didn't take long for the block to block stuff. Now for the question.

    In a couple cases so far, the block log shows a couple of parallel blocks between the dshield and ciarmy categories, where "attacks" are identical---time, addresses, ports. Since ciarmy isn't included in my two block rules, I'm wondering if the block report is picking up on the match between the attacks rather than implying I'm actually blocking on the ciarmy category, but I'm clearly guessing. So what really is happening?
    Last edited by Sam Graf; 12-08-2018 at 01:00 PM.

  5. #5
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    @Sam Graf Remember, there are 3 rules that are based on machine Memory and they're classtype rules, so, I can't remember, ciarmy might be in one of those rules. I built rules based on category, my pref, and disabled the default memory based rules.

    One thing that's a little irritating, the mem rules are not editable, so you can't even open them to look at the classtypes selected... none of the browsers I've tried with leave the tooltip showing all the classtypes up long enough for me to read them, so it's mouse up, mouse down, mouse up... to read all the classtypes for those three default rules... just a little thing.

  6. #6
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    That's true, but none of the default rules execute a block.

    The thing that interests me is this overlap effect. My clean install of the IPS is logging a little over 18000 signatures. By enabling 115 blocks (sticking the ciarmy category in there just to see what happens), I'm picking up blocks for not only the categories specified, but 4% of the blocks currently come from the scan category.

    The point would be, then, to build some data on the broader value of implementing those 115 blocks as a baseline of protection for network situations where that's suitable. It looks like it might help separate the noise from something potentially malicious--a random MSSQL scan versus one from the bad guys, say.

    I'm not saying I know it works that way. I'm saying that it seems evident that blocking three broad categories also picks up some of the other traffic that has a higher probability of actually being malicious. If I'm reading the reporting right.

    EDIT: Keeping in mind that IPS is watching both inbound and outbound traffic. I think that's part of the evaluation and conversation.

    EDIT 2: Putting it in classtype terms, here's an example of this overlap effect. I'll pick two at random from attempted-recon. One is category snmp (not blocked) and one is category scan (blocked). This block event shows up in the block report three times, once under misc-attack (dshield, so likely the source of the block) and twice under attempted-recon, with three different sids. I'm reading that as a low probability of malicious activity for one attempted-recon, and as a potentially higher probability of malicious intent for the other attempted-recon.
    Last edited by Sam Graf; 12-08-2018 at 06:48 PM.

  7. #7
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    138

    Default

    One thing that's a little irritating, the mem rules are not editable, so you can't even open them to look at the classtypes selected... none of the browsers I've tried with leave the tooltip showing all the classtypes up long enough for me to read them, so it's mouse up, mouse down, mouse up... to read all the classtypes for those three default rules... just a little thing.
    While they're not editable, you can copy them and edit those copies.

    We'll see if there's a way we can make the mouseover be more helpful.

  8. #8
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    138

    Default

    Quote Originally Posted by Sam Graf View Post
    The thing that interests me is this overlap effect. My clean install of the IPS is logging a little over 18000 signatures. By enabling 115 blocks (sticking the ciarmy category in there just to see what happens), I'm picking up blocks for not only the categories specified, but 4% of the blocks currently come from the scan category.
    Classtype is the "official" categorization of signatures from Suricata (and snort).

    However, all of the vendors go through the trouble of providing functional groupings called categories like "web server" so that's why we make them available. Some seem to overlap with classtype with names like "exploit" and "malware" but that's how they organize them.

    When in doubt, stick to classtypes. That's what the new "priority" rules use which are recommendations from Emerging Threats.

  9. #9
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by cblaise View Post
    When in doubt, stick to classtypes. That's what the new "priority" rules use which are recommendations from Emerging Threats.
    Good to know. Thank you for the explanation.

    Just to cap off the fun I've been having learning things because the new IPS app has made that possible (maybe I could have done the same things with the old app and was just too old to see it), here's the results of just 15 blocks (by category), using dshield and compromised, and the resulting spillover into two other categories. Plus a couple other reports to put it all into context.

    Intrusion_Prevention-Top_Categories_(blocked)-09.12.2018-1045.png
    Intrusion_Prevention-Top_Destination_Port_(blocked)-09.12.2018-1049.png
    Intrusion_Prevention-Intrusion_Detection_(all)-09.12.2018-1044.png

    Of course, this is a home network, and this is just (in my opinion) a way to allow me to focus on what passed without worrying that the barn door is wide open to things I haven't thought about or figured out yet. Since IPS is watching outbound traffic, I'm assuming that my 15 blocks are helping isolate any infected machines I might have. Etc. It's a place to start?

    All really to say, this new IPS app still seems like fine work because it better allows a thoughtful, invested novice to productively explore some things.
    Last edited by Sam Graf; 12-09-2018 at 09:05 AM.

  10. #10
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    138

    Default

    Thanks for the feedback Sam!

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2