Malware category IPS questions and comments

Malware category IPS questions and comments

[Tim Zakharov]

Hi, since enabling the Malware category in the IPS, I am getting a lot of hits in the logs that seem completely unrelated to Malware.

For example, just this morning between 9:36:58 and 9:36:59, I received 20 hits with the source being my Windows 11 desktop and destination being IPFire, all on port 53.  
The rule is:
IPFire DBL [Malware] Blocked DNS Query
Type:
Potential Corporate Privacy Violation
SID:
406786433

I cannot tell what triggered these hits, but I can tell you I was not doing anything that would trigger Malware on my system.

Is there any way to determine what triggers Malware hits (the originating rule, for example?)

If I go to Customize IPS Rulesets and show the IPFire DBL Malware category, there are only 4 checkboxes:
IPFire DBL [Malware] Blocked DNS Query		IPFire DBL [Malware] Blocked HTTP Request
	IPFire DBL [Malware] Blocked TLS Connection		IPFire DBL [Malware] Blocked QUIC Connection

So at the moment there is no granularity to uncheck a particular rule that might be filling my logs with false positives.

Also, I see no way how I could report this as a false positive because there is no granularity to tell which rule is triggering it.

I considered posting this in the forums, but I saw Michael telling someone else "I would appreciate if you joined our DBL mailing list and share your thoughts there as this support forum is not the right place." so I thought I should post here instead of the forum.

Thanks,
Tim

Re: Malware category IPS questions and comments

[Michael Tremer]

Hello Tim,

Thanks for getting in touch.

> On 8 Mar 2026, at 15:30, Tim Zakharov <tzakharov@protonmail.com> wrote:
> 
> Hi, since enabling the Malware category in the IPS, I am getting a lot of hits in the logs that seem completely unrelated to Malware.
> 
> For example, just this morning between 9:36:58 and 9:36:59, I received 20 hits with the source being my Windows 11 desktop and destination being IPFire, all on port 53.  
> The rule is:
> IPFire DBL [Malware] Blocked DNS Query
> Type:
> Potential Corporate Privacy Violation
> SID:
> 406786433
> 
> I cannot tell what triggered these hits, but I can tell you I was not doing anything that would trigger Malware on my system.
> 
> Is there any way to determine what triggers Malware hits (the originating rule, for example?)

Yes, you can enable email alerts or the PDF reports on the IPS settings page. Both will contain the hostname (and depending on protocol other information).

The web user interface is using the (legacy?) fast.log, which is not able to store this information.

Please report anything that you don’t deem suitable for the malware list to https://www.ipfire.org/dbl/report.

> If I go to Customize IPS Rulesets and show the IPFire DBL Malware category, there are only 4 checkboxes:
> IPFire DBL [Malware] Blocked DNS Query IPFire DBL [Malware] Blocked HTTP Request
> IPFire DBL [Malware] Blocked TLS Connection IPFire DBL [Malware] Blocked QUIC Connection

Yes, there is only one rule per category and protocol. This is because there would otherwise be millions of rules which Suricata and the UI cannot properly handle.

> So at the moment there is no granularity to uncheck a particular rule that might be filling my logs with false positives.

This is not supported, and will never be supported, unfortunately.

As I mentioned in my blog post, this is not supposed to be a primary way of filtering access. It is a backstop.

> Also, I see no way how I could report this as a false positive because there is no granularity to tell which rule is triggering it.
> 
> I considered posting this in the forums, but I saw Michael telling someone else "I would appreciate if you joined our DBL mailing list and share your thoughts there as this support forum is not the right place." so I thought I should post here instead of the forum.

Yes, this is the right place. We are currently making some changes to the forum and for the time being there will be a DBL category, but this list will be the primary place to talk about DBL.

All the best,
-Michael

> Thanks,
> Tim
> 
> 
> 
> 
>