Results 1 to 7 of 7
  1. #1
    Untanglit
    Join Date
    Mar 2018
    Posts
    15

    Question How to change the action of a Signature?

    So I have setup Intrusion Prevention, and It has begun blocking things. Cool. So now im trying to dig in and disable signatures that are causing false positives. However the Edit button next to the signatures in greyed out and cannot be clicked.

    What is the proper way of doing this?

  2. #2
    Untanglit
    Join Date
    Mar 2018
    Posts
    15

    Default

    OOOOOOOOH, I get it. you dont edit the signatures, you create rules based on the signatures! freaking brilliant! Seriously...that is awesome.

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,673

    Default

    Use rules to change the action of rules.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untanglit
    Join Date
    Mar 2018
    Posts
    15

    Default

    However, I do have untangle running in bridge mode behind my pfsense firewall so I do have some more questions.

    1. How do I actually KNOW something is being blocked. I ask because despite the VERY long "Blocked Events" report, I have not managed to lose connection to any of my servers...which just seems odd. Normally when I configure IPS in pfsense, im constantly blocking myself out of things for at least a week until I tune the false positives.

    2. How do I get the IPS to ignore traffic within my network? Im seeing a TON of entries in the blocked events report where the source and destination are both devices on my LAN. I tried creating a rule where "Source Address" and "Destination Address" both contain "172.17.89." then Disable. But I dont think it did anything, as my Report is still getting flooded.

  5. #5
    Untanglit
    Join Date
    Mar 2018
    Posts
    15

    Default

    I created a rule to disable the signature with "GPL MISC UPnP malformed advertisement", however I still see this signature in the report non stop.

  6. #6
    Untanglit
    Join Date
    Mar 2018
    Posts
    15

    Default

    I just realized that every single "GPL MISC UPnP malformed advertisement" message i was getting in the log was from the same source IP on my LAN. So the rule to disable that signature should have worked, but it didn't. So then I created a bypass rule for that IP and its still being "blocked" according to the log for IPS.

    Im supposed to be buying a license for Untangle to deploy at work on Tuesday, but now I'm getting very concerned if this is even working at all. I have triple and quadruple checked all my rules, I have read the wiki, I even watched the presentations on Youtube, and not a single one of my rules is being adhered to. Including the Application control rule to tag any traffic to Crashplan. I currently have a system backing up right now, and its NOT being tagged.

  7. #7
    Master Untangler
    Join Date
    Oct 2017
    Posts
    100

    Default

    I’m having the same issue with my OpenDNS updater. IPS is blocking it under SID 2023472 policy violation. I put a rule to disable it but it doesn’t disable it. There is no box to uncheck the block action. Any ideas?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2