Results 1 to 5 of 5
  1. #1
    Untanglit
    Join Date
    Nov 2017
    Location
    Silicon Valley
    Posts
    28

    Default How do you know if Intrusion Prevention is working?

    I am new to Untangle NG and am trying it out on some old hardware before I commit. My previous firewall had an IPS based on Suricata which I think is the same engine used by Untangle NG. In that device, it would flag if I used the Tor Browser. So after enabling Intrusion Prevention on the Untangle NG I opened Tor and browsed a site. After looking through the Intrusion Prevention Reports I find no sign of this activity. I searched the signatures for "tor" and found many familiar Tor focused entries as I had in my previous firewall's IPS. Also verified that these signatures have "Rule action" set to "Log". So why don't I see anything in the report?

    Also, is there a standard (and safe) way to test one's Intrusion Prevention capabilities? Its easy enough to test web filtering and other things but IPS seems more difficult to test.
    Last edited by Rumboogy; 09-08-2020 at 02:23 AM.

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,049

    Default

    Hi Rumboogy,

    Welcome to the forums!
    What Rules/Signatures have you enabled in your IPS application?

    And you might also look at Application control where you can enable flag on "TOR".

  3. #3
    Untanglit
    Join Date
    Nov 2017
    Location
    Silicon Valley
    Posts
    28

    Default

    Thanks for the welcome. Excited to try out this firewall!

    I am using the "Intrusion Prevention" package as it comes when freshly installed (did not make any changes). It seems to have the same Emerging Threat group of signatures that my previous firewall had. If I search for "tor" under signatures it finds over 2000 hits. Here is an example of one rule: "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 670". These signatures look similar to the ones in the previous firewall's (Synology RT2600ac) IPS which, as I mentioned, would flag the use of the Tor Browser by clients on the LAN.
    Last edited by Rumboogy; 09-08-2020 at 09:59 AM.

  4. #4
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,049

    Default

    Have you read the wiki page for "Intrusion Prevention"?
    https://wiki.untangle.com/index.php/...ion_Prevention

    It describes how UT has implemented it.

  5. #5
    Untanglit
    Join Date
    Nov 2017
    Location
    Silicon Valley
    Posts
    28

    Default

    Have not read it yet, but am getting to it.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2