Hello list followers,
after some reports on our community portal about a flooded IDS log in case the tor addon is installed and activated, I tried to solve this issue. (https://community.ipfire.org/t/tor-and-ips-conflict-suricata-rulset-where-do...)
The desired solution would be to load additional suricata rules to silence the noisy rules when tor is used. This worked pretty well so I extended the code to be more general and such rules for any kind of service can be written and loaded.
I collected all the changes on my personal git repository:
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
For an easy testing I created a test tarball, which can be found here:
https://people.ipfire.org/~stevee/ids-services/
As usual a README file gives deeper information and guides through the installation process.
Please share your opinions about this approach and in case you are testing please provide your feedback here.
A big thanks in advance,
-Stefan
Hello list followers,
today I backed a second test version which fixed an issue to proper use the new feature and adjusted the rules to silence some more alerts.
The new test tarball can grabbed at the same location as the previous one - Install instructions are the same.
As usual please share your feedback and opinions here - a big thanks in advance.
Best regards,
-Stefan
Hello list followers,
after some reports on our community portal about a flooded IDS log in case the tor addon is installed and activated, I tried to solve this issue. (https://community.ipfire.org/t/tor-and-ips-conflict-suricata-rulset-where-do... )
The desired solution would be to load additional suricata rules to silence the noisy rules when tor is used. This worked pretty well so I extended the code to be more general and such rules for any kind of service can be written and loaded.
I collected all the changes on my personal git repository:
https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=shortlog;h=refs/hea...
For an easy testing I created a test tarball, which can be found here:
https://people.ipfire.org/~stevee/ids-services/
As usual a README file gives deeper information and guides through the installation process.
Please share your opinions about this approach and in case you are testing please provide your feedback here.
A big thanks in advance,
-Stefan
-
Stefan Schantl