Forums

Alex Sung
Alex Sung
Offline
Resolved
0 votes
Hi All,

I am pretty new to ClearOS and please bear with me if i have ask silly questions.

Some background of me
I have been using Untangle UTM home user for the past 5 years and decide the let it go upon because the box has been hacked and used for malicious purposes such as storage of files during the Dec 2019. I believe non of my data was stolen because i have my routers VPN tunnel through it.

Queries
1. Currently i was on a 30 days evaluation of home essential with the latest version 7 and like to know some of queries below prior i made a 3 years purchase.
2. The IDS signature is able to update daily.
https://ibb.co/F8drQtx
3. I have tested the IDS link below.
http://www.testmyids.com/
http://testmyids.ca/
4. Snort Sys log showing the intrusion for the IDS links provided.
https://ibb.co/VwTcv3f
5. I am aware that snort rules has not been updated since 2015. Does the rules will be updated when i have purchase the service for 3 years?

https://ibb.co/3CSYkFL
6. If i purchase the 3 years does the IPS will be able to trigger for the drop / on the block list? The reasons for my query is that i did a test out on the IDS link but the log show the intrusion but did not block it.
https://ibb.co/M5rqQ1V

All input / helps will be very much appreciated.
Tuesday, May 19 2020, 10:21 AM
Share this post:

Accepted Answer

Tuesday, May 19 2020, 03:10 PM - #Permalink
Resolved
0 votes
1 - I've never seen it updated. It uses rules released under the GPL licence and, if anything, some of these were removed a few years ago when they were removed from the GPL.
2 - That is command line stuff to look for the file containing the signature definition.
3 - Yes I was referring to that, and no, it is a ClearOS rule set compiled from a number of sources.
The reply is currently minimized Show
Responses (2)
  • Accepted Answer

    Tuesday, May 19 2020, 12:10 PM - #Permalink
    Resolved
    0 votes
    To get the IDS updates you need a Home subscription or Business Silver/Gold/Platinum or you can purchase the updates separately.
    IDS updates are not daily. They are roughly weekly but ClearOS will check every day to see if there are any updates.
    Not all rules produce blocks. Probably most don't and are advisory only. You can check by taking the rule number, e.g 2016150 then doing:
    grep 2016150 /etc/snort.d/* -r
    If the rule has "fwsam" in it, it is a blocking rule. This one is not.
    I can assure you the blocks do work. I often have to remote in to customers and if they request help and then forget to open the SSH port and they are running the IDS/IPS, invariably I get banned and have to try coming in from another address after they unblock the firewall.
    The reply is currently minimized Show
  • Accepted Answer

    Alex Sung
    Alex Sung
    Offline
    Tuesday, May 19 2020, 02:51 PM - #Permalink
    Resolved
    0 votes
    1. How about the Gateway => Base Rule Set? Does it get updated as well once i made the 3 years home essential subscription?
    2. How get into command line to execute grep 2016150 /etc/snort.d/* -r ? Pardon me, i am a total newbie.
    3. Are you refer the updates from Cloud => Updates => IDS Signatures? IDS signatures is that from Snort Personal Subscription?
    To get the IDS updates you need a Home subscription or Business Silver/Gold/Platinum or you can purchase the updates separately.
    IDS updates are not daily. They are roughly weekly but ClearOS will check every day to see if there are any updates.


    Your clarification will be very much appreciated.
    The reply is currently minimized Show
Your Reply