Hello list followers,
after some reports on our community portal about a flooded IDS log in case the tor addon is installed and activated, I tried to solve this issue. (https://community.ipfire.org/t/tor-and-ips-conflict-suricata-rulset-where-do...)
The desired solution would be to load additional suricata rules to silence the noisy rules when tor is used. This worked pretty well so I extended the code to be more general and such rules for any kind of service can be written and loaded.
I collected all the changes on my personal git repository:
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
For an easy testing I created a test tarball, which can be found here:
https://people.ipfire.org/~stevee/ids-services/
As usual a README file gives deeper information and guides through the installation process.
Please share your opinions about this approach and in case you are testing please provide your feedback here.
A big thanks in advance,
-Stefan