Can you link me to some of the sites you've used for testing? The basic IDS only comes with GPL rules and they are old. You either need to integrate something like the Emerging Threats rules or purchase the IDS updates to get a more current set of rules. There is a script in the forum somewhere which allows you to integrate the ET rules.

The GPL rules have no "drop" rules, only detection rules, so even if it finds something it will only report on it and not stop it. The Clearcenter IDS Updates and ET rules both have blocking rules.

If one of your test packages was the EICAR virus test, if you download through ClearOS with https, using the content filter in transparent mode, then ClearOS cannot block them as it cannot intercept https traffic.

Nick Howitt wrote:

Can you link me to some of the sites you've used for testing? The basic IDS only comes with GPL rules and they are old. You either need to integrate something like the Emerging Threats rules or purchase the IDS updates to get a more current set of rules. There is a script in the forum somewhere which allows you to integrate the ET rules.

The GPL rules have no "drop" rules, only detection rules, so even if it finds something it will only report on it and not stop it. The Clearcenter IDS Updates and ET rules both have blocking rules.

If one of your test packages was the EICAR virus test, if you download through ClearOS with https, using the content filter in transparent mode, then ClearOS cannot block them as it cannot intercept https traffic.

Hello Nick,

I got the ClearOS 7.5 Home version and I installed these two modules:
-Intrusion Detection System
-IDS Signatures
And they are enabled and I checked all boxes.

To test it, from a computer sitting behind the gateway, I was just googling and found a few test sites, one of them was
http://testmyids.ca/
which, if I understand it correctly, on browsing it should trigger the IDS.
However, looking at the events log of the webconfig later it didn't seem to suggest any detection.
Nor I was blocked from browsing the site.

Other sites I also tried include:
https://evebox.org/files/testmyids.com
http://www.testmyids.com/
But it didn't seem to report anything on the webconfig page.

It can also be I am looking at the wrong spot, it will be great if you can let me know where to check the log.
Also, I would like to config it such that it will block but not just detect.
As for content filter, while it is also installed and enabled, I left it as default and never set it up.
Please let me know if anything need to be checked in that module.

The useful logs are in /var/log/snort/syslog. This app is not the most intuitive and GPL rules are enabled in Webconfig > Gateway > Intrusion Prevention > Intrusion Detection System and the IDS updates in Webconfig > Cloud > Updates > IDS Signatures. Note the IDS is quite processor intensive and it is best to only enable rules where you have services which are exposed to the internet.

I don't get any response from your test sites but I have a limited number of rules enabled. I do get responses to other rules.

Nick Howitt wrote:

The useful logs are in /var/log/snort/syslog. This app is not the most intuitive and GPL rules are enabled in Webconfig > Gateway > Intrusion Prevention > Intrusion Detection System and the IDS updates in Webconfig > Cloud > Updates > IDS Signatures. Note the IDS is quite processor intensive and it is best to only enable rules where you have services which are exposed to the internet.

I don't get any response from your test sites but I have a limited number of rules enabled. I do get responses to other rules.

Thanks for the check.
I am new to using IDS so I wasn't sure what to expect, but if you don't get a response to the test sites, it may just be the configuration somewhere and may not be important.

Looking at the logs, I do see a huge amount of results regarding different events just within today, e.g.
-Telnet attempted
-ET SCAN Sipvicious Scan
and so on, so I guess the IDS is indeed functionning.

Regarding which service to monitor, lately I pass almost everything through OpenVPN, so the only firewall port opened is 5100 which links to a https server,
where I host a Jupyter notebook server.
May I know if this is the case, should I just check the box for web_server under both IDS related modules?

I can't really say which rules to check as the IDS also protects traffic to your LAN so it *may* be a good idea to have, for example, "Microsoft ActiveX exploits" enabled and other like "Trojan detection".

I have converted some rule sets like "Compromised systems" to ipset firewall rules as the firewall with ipset uses much less resources to block than the IDS (snort) does