Re: IPFire meets Suricata - Call for tester

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 1714 bytes --]

Hello Stefan,

back again. :-)

The new IDS WebUI looks quite good so far - enabling/disabling
Suricata works as well as selecting the rule source and the
operation mode (IDS/IPS).

I was also able to download the "Snort/VRT Community" ruleset.
Trying to switch to the "Emerging Threats" ruleset is possible,
but downloading its ruleset afterwards is not: The GUI simply
stalls, printing a message that "Snort (!) is performing a task".

The WebUI services page still shows IDS status for each interface,
which does not seem to work anymore (everything is stopped, but
Suricata was active on RED and GREEN).

Further, a client located in GREEN behind the test firewall
instance is unable to browse the internet as soon as Suricata is
enabled. If disabled, downloading ET rulesets work as well as
internet traffic. At the moment, I am flying blind here, but it looks
like packets are not NATted anymore if Suricata is active.

Any outgoing connection is in state "SYN_SENT" if Suricata is active.

A portscan against the firewall (GREEN interface) is not detected,
even though ET SCAN ruleset is enabled (used nmap with NSE active).

Especially the outgoing connection/NAT/? issue mentioned above
breaks things in my scenario. Anything else are minor issues (of
course, a portscan should be detected, this needs further investigation
indeed). WebUI works fine so far.

Thanks again for your work; I hope the feedback can appreciate it somehow. :-)

Let me know if there are questions.

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq