Results 1 to 8 of 8
  1. #1
    Newbie maconulaff's Avatar
    Join Date
    Feb 2011
    Location
    Wisconsin USA
    Posts
    12

    Default Question after attending "Tech Talks: Intrusion Prevention"

    I admit it. I played around setting custom action settings in a number of signatures before attending the seminar and learning more about using the rules to handle this. Is there an easy way to reset IPS to the Untangle defaults?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    Quote Originally Posted by maconulaff View Post
    I admit it. I played around setting custom action settings in a number of signatures before attending the seminar and learning more about using the rules to handle this. Is there an easy way to reset IPS to the Untangle defaults?
    All Untangle modules can be reset using the exact same method, click the remove button at the bottom of the module's settings, and reinstall it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie maconulaff's Avatar
    Join Date
    Feb 2011
    Location
    Wisconsin USA
    Posts
    12

    Default

    Thanks - did not know if it would retain settings or not. I appreciate the fast response!

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,325

    Default

    remember though, nothing you do actually changes the in-built signatures, all you can do is create rules to affect their actions; so you can go back to default actions merely by deleting any rules you've added. likewise, if you add your own signatures, they will all have "Custom signature" set to True, so you can easily filter the signature list and modify/delete your signatures without having to hunt them down.

  5. #5
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Since I've got a question or two after having watched the webinar video, I thought not to open another thread Ok, here they go:

    - would it be possible in future updates to add source and destination interface conditions? I'm a Home user, behind NAT and with just 0-1 port forwards. I don't really care that much about INGRESS traffic, as much as I'd love to inspect the EGRESS one. I'd like to log and in some instances block anomalies originating in (hopefully not) already compromised nodes of the network. In this case since most signatures are oriented on INGRESS traffic, perhaps most Variables should be flipped, too [though some signatures are already for internal compromised/outbound traffic/etc. - yes, they are a mess ]?

    EDIT: After tens and tens (hundreds!?) of rules reading, Suricata would probably need to be doubled with some sort of startup module that can parse variables so to flip the internal/external values. So perhaps I'll just choose the existing signatures that specifically target outbound traffic, but it would be nice to set interface Conditions anyway...

    (perhaps the next one is relevant only if/when the first one will be implemented)
    - if I wanted to bypass all the traffic from one internal host, would it be sufficient to set a Condition with the right source address and the Action to disabled? Should I add a wildcard in a Category/Classtype/Message to achieve that?

    Thank you.
    Last edited by docfuz; 12-19-2018 at 12:53 PM.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by docfuz View Post

    (perhaps the next one is relevant only if/when the first one will be implemented)
    - if I wanted to bypass all the traffic from one internal host, would it be sufficient to set a Condition with the right source address and the Action to disabled? Should I add a wildcard in a Category/Classtype/Message to achieve that?

    Thank you.
    No unfortunately these rules are run on signatures to figure out which signatures are enabled (and what they do).
    The rules aren't run on sessions to figure out which sessions to scan, so there is no way to differentiate how traffic is treated in rules. They purely run on the signatures. The traffic processing is handled exclusively from within suricata.

    You could "bypass" the traffic - suricata doesn't scan bypassed packets, but of course that means you exempt it from everything else too.

    We could add a way to "exempt" certain traffic just from suricata, but that wouldn't give you separate configs, it would still just be all or nothing, but just for suricata.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Quote Originally Posted by dmorris View Post
    No unfortunately these rules are run on signatures to figure out which signatures are enabled (and what they do).
    The rules aren't run on sessions to figure out which sessions to scan, so there is no way to differentiate how traffic is treated in rules. They purely run on the signatures. The traffic processing is handled exclusively from within suricata.

    You could "bypass" the traffic - suricata doesn't scan bypassed packets, but of course that means you exempt it from everything else too.

    We could add a way to "exempt" certain traffic just from suricata, but that wouldn't give you separate configs, it would still just be all or nothing, but just for suricata.
    OK, got it. Since I was thinking about turning it on and off when I need my notebook to do network tests for work, I can put it in a bypass rule in the Config section. That will be fine.

    Since all is processed inside suricata itself there's no easy way to tell it to listen only on outbound traffic on a specific interface, so I think I'll probably stick to specific signatures for compromised hosts, exploit targets and outbound and see how it goes while testing vulnerabilities on some internal virtual machine.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    Quote Originally Posted by dmorris View Post
    We could add a way to "exempt" certain traffic just from suricata, but that wouldn't give you separate configs, it would still just be all or nothing, but just for suricata.
    This would be a welcome feature.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2