Need to be schooled on SNORT IPS

[Guest]

[jpin]

So just installed my first Endian Firewall 3.0.   Working ok, but I'm trying to get the IPS up and working.   I thought it was working till I noticed it wasn't blocking anything it was only detecting.   My question is how do you start blocking things?  surely going through every rule and manually changing all of the policies isn't the way.  For that matter I wouldn't know which ones to enable if I did go that route.   

Can someone help me understand?

[jpin]

Nobody knows anything about SNORT IPS on Endian?  Surely I'm not the only one using this?

[Ricard]

- visit  www.testmyids.com  and then see your log

- check the Intrusion Prevention is active,  and then go the Intrusion Prevention ->Snort  Editor
Edit "/auto/emerging-policy.rules" section, and then go until the final pages (12+-) until your find the rule "2017015 ET POLICY DropBox User Content Access over SSL"

Check that rule is active and showing the shield icon. Then try to download this file (or any other belonging to https://dl.dropboxusercontent.com/....)
https://dl.dropboxusercontent.com/s/pgo6ryv8tfjodiv/streaming.sas7bdat

Try yourself checking and unchecking this Dropbox rule, applying changes, and trying again to download that file.  See your logs.


More specific tests:
http://.alijahangiri.org/2012/04/how-to-test-snort-with-penetration-testing-tools/
http://lteo.net//2012/10/26/an-easy-way-to-test-your-snort-rules/