|
Title: See what Intrusion Prevention (IPS) has blocked. Post by: mrt on Wednesday 21 April 2010, 04:09:40 pm Hi, I move from Clarkconnect/ClearFondation to Endian 2.3 Community.
In my former GW/FW I could see in IPS view what IP's that have been blocked, default for 24 hour and see for what reason it was blocked. (and lookup to snort to see explaination) I could also unblock if the rule discover a false positive or "wrong" IP. I can't find this function in EFW 2.3 and wounder if this could be done in near future? (2.3.1 ?) :-) Thanks in advance, Regards from Norway Title: Re: See what Intrusion Prevention (IPS) has blocked. Post by: xxxx on Saturday 01 May 2010, 02:25:21 am This makes no sense with the Endian. Snort inline uses the Endian and this drops the bad pakets in the connection and does not drop the whole Ip like Guardian.
Title: Re: See what Intrusion Prevention (IPS) has blocked. Post by: vlongjvc on Tuesday 04 May 2010, 01:52:50 pm Hi xxxx,
Actually, Snort inline using these rules will block the whole IP if these rules are configured to run in IPS mode: "emerging-compromised.rules", "emerging-drop.rules", "emerging-dshield.rules", "emerging-rbn.rules" Regards, Title: Re: See what Intrusion Prevention (IPS) has blocked. Post by: xxxx on Sunday 09 May 2010, 10:27:09 pm Then see you this on the Logs and can unblock this Ip with the Rule Editor because Snort drops the Pakets from this Ip directly and make not a Iptables entry like guardian.
|