How do you know if Intrusion Prevention is working?

[Rumboogy]

I am new to Untangle NG and am trying it out on some old hardware before I commit. My previous firewall had an IPS based on Suricata which I think is the same engine used by Untangle NG. In that device, it would flag if I used the Tor Browser. So after enabling Intrusion Prevention on the Untangle NG I opened Tor and browsed a site. After looking through the Intrusion Prevention Reports I find no sign of this activity. I searched the signatures for "tor" and found many familiar Tor focused entries as I had in my previous firewall's IPS. Also verified that these signatures have "Rule action" set to "Log". So why don't I see anything in the report?

Also, is there a standard (and safe) way to test one's Intrusion Prevention capabilities? Its easy enough to test web filtering and other things but IPS seems more difficult to test.

[WebFooL]

Hi Rumboogy,

Welcome to the forums!
What Rules/Signatures have you enabled in your IPS application?

And you might also look at Application control where you can enable flag on "TOR".

[Rumboogy]

Thanks for the welcome. Excited to try out this firewall!

I am using the "Intrusion Prevention" package as it comes when freshly installed (did not make any changes). It seems to have the same Emerging Threat group of signatures that my previous firewall had. If I search for "tor" under signatures it finds over 2000 hits. Here is an example of one rule: "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 670". These signatures look similar to the ones in the previous firewall's (Synology RT2600ac) IPS which, as I mentioned, would flag the use of the Tor Browser by clients on the LAN.

[WebFooL]

Have you read the wiki page for "Intrusion Prevention"?
https://wiki.untangle.com/index.php/...ion_Prevention

It describes how UT has implemented it.

[Rumboogy]

Have not read it yet, but am getting to it.