PhenIXUS

[Andre]

So is the level of detection that is the version with fewer false positives than the version of Snort that came with IPCop 1.4.21.
I did the tests here with other rules and everything went right. Thank you!

Now I am studying on the DAQ. Several things have changed.
What about the "flexible response", you have compiled with this feature?

Thanks a lot!

- André

[Andre]

Works! Flexible response is also active.

Thanks a lot!

- André

[Vehrsey]

A experimental Snort-inline add-on is coming soon.

[Andre]

Vehrsey,
This is a excellent idea!
I'm working with a GUI to manage the rules.

I noticed that the idslog.cgi is not displaying the links to the "references".
It would be a bug? I did various tests here with references from bugtraq, cve and other url, but do not appear in the log. Appear as "none found".

Can you test it?

- André Luiz Rodrigues Ferreira

[Vehrsey]

Test - Experimental Snort-inline add-on :

Download Snort-inline Ipcop v2 (Last update 27/04/12)

MD5: d8448c78af457b8023a6fd7b8251f4a8

Snort-inline works with NFQ queue and iptables (see Readme file).
You can go to "Ipcop Firewall Configuration GUI" and add a new rule, you can choice a Interface queue and choose a protocol. A blue icon will appear ...



Exemple:
Open a port tcp 80 (web server) External ----> Red nfqueue ---> LAN, (snort inline Red interface also actived)
---------------
Yes, there is a bug in the reference logs, we can see now the links, ... (investigating - Resolved).

[Vehrsey]

Test - Experimental Snort-inline add-on (Last update : 27/04/12) :

Download Snort-inline add-on Ipcop v2 (Last update 27/04/12)

MD5: d8448c78af457b8023a6fd7b8251f4a8

Added : Nfq for "Port Forwarding", added GUI to manage the snort rules.
Resolved : idslog.cgi references links.

[Andre]

The last installer you posted has a bug. When you enable the module of Snort, it does not start.
It was necessary to create the file "/etc/snort/rules/white_list.rules" and "/etc/snort/rules/black_list.rules".

By the way, I saw you put fields to select the rules. This is great!

I have two suggestions.

1) Set a field to enable the "IPS" mode. By enabling the system would change all the rules of "log or alert" to "drop".

2) What about adding two text fields to edit the whitelist and blacklist?

With this we would have a very powerful IPS.
Please pass me your contacts I would like to chat with you on this best work.

A hug!

Andre L.R.Ferreira

[Vehrsey]

Test - Experimental Snort-inline add-on (Last update : 27/04/12) :

Download Snort-inline add-on Ipcop v2

MD5: d8448c78af457b8023a6fd7b8251f4a8

Added : Snort mode, IDS or IPS with automatic update alert <--> drop rules.
Added : IP blacklist/whitelist rules.

See first page forum for last updates.

[jibe]

Salut,

Ce sujet devenant très long, il serait peut-être intéressant d'en faire un bref résumé que tu maintiendrais à jour au fur et à mesure (en particulier pour les liens de téléchargement).

Peut-être pourrais-tu le faire en une autre couleur (bleu par ex., éviter le vert dont se servent les modos), ce qui le différencierait bien du contenu de ton premier post

En tous cas, merci pour ta participation : c'est exactement ce qu'on aime trouver dans Ixus

[Vehrsey]

Salut,

je me demandais si il y avait la possibilité de faire des mise à jour automatique des règles snort ?

via un add on ?

Merci

Le voici :

Download - automatique update snort rules - (dernière mise à jour au 10/12/12).

.