Suricata IDS and IPS

anx

Hi guys,

How to check if actually IDS is working? I have installed PfBlockerNG to block Adds only.

Since then, I dont see any IDS alerts. Hmm

DaddyGo

Hi,

if you have the ability to run a KaliLinux virtual machine (or nativ), you will find all the tools for the different tests.
I hope you meant pfBlockerNG -devel

anx

@DaddyGo said in Suricata IDS and IPS:

pfBlockerNG -devel

Yes, Devel version.

Ok, will try with Kali. thanks

bmeeks

@anx said in Suricata IDS and IPS:

@DaddyGo said in Suricata IDS and IPS:

pfBlockerNG -devel

Yes, Devel version.

Ok, will try with Kali. thanks

If you have put Snort or Suricata on your LAN, you will need to direct your Kali machine towards that interface.

With a properly tuned IDS you actually don't want to see any alerts as a normal thing. A few alerts now and then is what you would expect. For example, on my LAN my most recent Snort alerts are from April 30th of this year. And those were two HTTP_INSPECT preprocessor rules that mine and my wife's iPhones triggered. I run the IPS Balanced policy on my LAN along with a handful of the ET Open categories.

Because I frequently need data to test with, I also run a Snort instance on my WAN and use a pair of ET Open "known bad IP address" categories enabled there purely to generate alerts for research. I run the Emerging CIARMY and Emerging DSHIELD categories on my WAN to generate that testing data. These two categories are actually just lists of IP addresses from known bad actors. They generate several hundred alerts per day on my WAN from the random Internet "noise" that is always there due to bots scanning for open ports and such.

anx

Hi Guys

Is there any way that when the pfBlockerNG -devel will block website, will actually block it with some information that is blocked by it? Instead that SSL is invalid? thanks

DaddyGo

@anx said in Suricata IDS and IPS:

Hi Guys
Is there any way that when the pfBlockerNG -devel will block website, will actually block it with some information that is blocked by it? Instead that SSL is invalid? thanks

It is included in the name of "advertising"
have you activated the AD block list?

SSL:

bmeeks

@anx said in Suricata IDS and IPS:

Hi Guys

Is there any way that when the pfBlockerNG -devel will block website, will actually block it with some information that is blocked by it? Instead that SSL is invalid? thanks

You will get more responses and better answers to pfBlockerNG questions by posting your question over in the pfBlockerNG forum here: https://forum.netgate.com/category/62/pfblockerng.

anx

Yes, and i am happy to block it. But rather to have ssl invalid would be nice to have information that the pfBlockerNG blocked ad . I See that the blocker replaced the cert ?

DaddyGo

@anx

exactly:
(I know you love to learn, this is an older post (thread) but worth reading)
https://forum.netgate.com/topic/147785/pfblockerng-devel-dnsbl-cert-error

Reddit threads as well, if it is possible

edit:
BTW: Follow @bmeeks Bill's advice, if your question falls into this group (category) and you'd get to know pfBlockerNG, there are good professionals here.

https://forum.netgate.com/category/62/pfblockerng.