Forums

Resolved
0 votes
Hi,

I am using ClearOS 7.5 Home, and I have IDS and the Rule updates both installed.
With a client PC behind the gateway, I was trying to use some online websites to test if the IDS is triggered (there are a few "testmyids" website), but with all those I tried, they never triggered any alerts in the router webpage, nor anything was logged in the event logger.

Also, some website also said the test package was permitted, rather than dropped as one would expect from a working IDS system.

May I know if there is a way you can share to check if IDS is working with my ClearOS router?
Monday, April 22 2019, 03:17 AM
Share this post:
Responses (5)
  • Accepted Answer

    Wednesday, April 24 2019, 09:22 AM - #Permalink
    Resolved
    0 votes
    I can't really say which rules to check as the IDS also protects traffic to your LAN so it *may* be a good idea to have, for example, "Microsoft ActiveX exploits" enabled and other like "Trojan detection".

    I have converted some rule sets like "Compromised systems" to ipset firewall rules as the firewall with ipset uses much less resources to block than the IDS (snort) does
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 10:07 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    The useful logs are in /var/log/snort/syslog. This app is not the most intuitive and GPL rules are enabled in Webconfig > Gateway > Intrusion Prevention > Intrusion Detection System and the IDS updates in Webconfig > Cloud > Updates > IDS Signatures. Note the IDS is quite processor intensive and it is best to only enable rules where you have services which are exposed to the internet.

    I don't get any response from your test sites but I have a limited number of rules enabled. I do get responses to other rules.


    Thanks for the check.
    I am new to using IDS so I wasn't sure what to expect, but if you don't get a response to the test sites, it may just be the configuration somewhere and may not be important.

    Looking at the logs, I do see a huge amount of results regarding different events just within today, e.g.
    -Telnet attempted
    -ET SCAN Sipvicious Scan
    and so on, so I guess the IDS is indeed functionning.

    Regarding which service to monitor, lately I pass almost everything through OpenVPN, so the only firewall port opened is 5100 which links to a https server,
    where I host a Jupyter notebook server.
    May I know if this is the case, should I just check the box for web_server under both IDS related modules?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 08:57 PM - #Permalink
    Resolved
    0 votes
    The useful logs are in /var/log/snort/syslog. This app is not the most intuitive and GPL rules are enabled in Webconfig > Gateway > Intrusion Prevention > Intrusion Detection System and the IDS updates in Webconfig > Cloud > Updates > IDS Signatures. Note the IDS is quite processor intensive and it is best to only enable rules where you have services which are exposed to the internet.

    I don't get any response from your test sites but I have a limited number of rules enabled. I do get responses to other rules.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 07:31 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Can you link me to some of the sites you've used for testing? The basic IDS only comes with GPL rules and they are old. You either need to integrate something like the Emerging Threats rules or purchase the IDS updates to get a more current set of rules. There is a script in the forum somewhere which allows you to integrate the ET rules.

    The GPL rules have no "drop" rules, only detection rules, so even if it finds something it will only report on it and not stop it. The Clearcenter IDS Updates and ET rules both have blocking rules.

    If one of your test packages was the EICAR virus test, if you download through ClearOS with https, using the content filter in transparent mode, then ClearOS cannot block them as it cannot intercept https traffic.


    Hello Nick,

    I got the ClearOS 7.5 Home version and I installed these two modules:
    -Intrusion Detection System
    -IDS Signatures
    And they are enabled and I checked all boxes.

    To test it, from a computer sitting behind the gateway, I was just googling and found a few test sites, one of them was
    http://testmyids.ca/
    which, if I understand it correctly, on browsing it should trigger the IDS.
    However, looking at the events log of the webconfig later it didn't seem to suggest any detection.
    Nor I was blocked from browsing the site.

    Other sites I also tried include:
    https://evebox.org/files/testmyids.com
    http://www.testmyids.com/
    But it didn't seem to report anything on the webconfig page.

    It can also be I am looking at the wrong spot, it will be great if you can let me know where to check the log.
    Also, I would like to config it such that it will block but not just detect.
    As for content filter, while it is also installed and enabled, I left it as default and never set it up.
    Please let me know if anything need to be checked in that module.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 22 2019, 07:15 PM - #Permalink
    Resolved
    0 votes
    Can you link me to some of the sites you've used for testing? The basic IDS only comes with GPL rules and they are old. You either need to integrate something like the Emerging Threats rules or purchase the IDS updates to get a more current set of rules. There is a script in the forum somewhere which allows you to integrate the ET rules.

    The GPL rules have no "drop" rules, only detection rules, so even if it finds something it will only report on it and not stop it. The Clearcenter IDS Updates and ET rules both have blocking rules.

    If one of your test packages was the EICAR virus test, if you download through ClearOS with https, using the content filter in transparent mode, then ClearOS cannot block them as it cannot intercept https traffic.
    The reply is currently minimized Show
Your Reply