IPS randomly stopping working without an alert?

[ntguru]

I have a modest Untangle setup at home that is giving me issues. I'm running on a U25 appliance and the load is very low. Untangle is running in routed/NAT mode and has one inbound port forward set up. I have IPS enabled and set to scan after other network processing. My first rule is a custom rule to block ciarmy and dshield known bad addresses. I have low, medium and high memory set to Recommended action.

Normally, the daily reports/IPS reliably shows a half dozen +/- incoming attempts on the open port blocked by IPS. After some period of time--probably several weeks--these daily reports will show no IPS activity. If I reboot the U25, the usual incoming blocks start showing back up.

My question is two fold. First, is this failure just the reporting or the IPS itself? Second, how can I resolve this, particularly if the IPS itself is failing?

[Sam Graf]

I can't exactly answer your question, but I can confirm an aspect of your experience. The hardware is a u25xw. I installed IPS, set it to scan after other processing, and imported a set of rules. The report was empty the next day. I figured my import must have buggered something up so I removed IPS and reinstalled it. Again I set it to scan after but I left the rule selection alone and decided to build a set from scratch after I could study the report. Yet the report remained blank.

So I changed the scan setting back to the default before other processing and went back to the reports. Now things started to show up but they looked very much like a scan after report. I did a quick block rule for the dshield, compromised, and ciarmy categories and have been watching it. So far the report shows activity right up to date and the blocks are being reported but it still looks like a scan after report.

So as to the first part of your question, my instinct is that IPS is failing. I say that because it started showing results after I changed the scan option.

[ntguru]

San, have you tried rebooting your U25x?

I also think the IPS itself is failing, not just the reporting.

[Sam Graf]

I haven't tried rebooting yet (I did see your suggestion in the other thread). I'm going to try to spend a little more time trying to understand what's going on before I do anything like rebooting.

Part of my puzzlement is that my home Untangle has so far (knock on wood ) exhibited none of this behavior. Just the business one. But then, the home Untangle has been running IPS for months. I dunno...

[ntguru]

What HW is your home untangle running? Does it have inbound port forwards?

[Sam Graf]

Home is running on a Dell OptiPlex GX270 (PC). No port forwards on either machine.

[Sam Graf]

I also think the IPS itself is failing, not just the reporting.

So what's next? We have three reports of unexpected IPS behavior (including docfuz). How do we test this further? Or have we already adequately identified and described a fairly serious bug?

[ntguru]

That's why I was posting.... I was hoping someone from Untangle or one of the Untangle experts would see this and post. I imagine there must be log files somewhere outside the normal UI that might shed light on what's going on?

[Sam Graf]

Yeah. And that's why I was sneakily bumping...

What do you think, jcoffin? Anything we can do to add information?

[Sam Graf]

A bit more information. I'll include a bit of report data to illustrate what I'm seeing.

Attachment 9870

The rule IDs don't, in my view, reflect the "noise" I'm familiar with in the "scan before" type of traffic, yet IPS is set at "scan before." The zero traffic period starting at 7:11 reflects a change from "scan before" to "scan after," which in the past ended in a blank report. It's my thought that the cessation of activity for several minutes starting at 7:11 isn't because there is none (activity is zero for hours if I leave the setting at "scan after") but because IPS has stopped working. Switching back to "scan before" restarts things, but I don't think this is actually "scan before" traffic. In any case, my home Untangle is reporting very similar things at "scan after."

Attachment 9871

So I think there is something wrong with IPS, something related to the scan setting. I'd appreciate the opportunity to supply more information or even turn the box over to support without starting a ticket, so others who have reported odd IPS behavior here could get a sense of what's going on.