Bug 11310

Summary: IDS with VRT rules do not work
Product: IPFire Reporter: Edwin <snelleedje>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: horace.michael, ipfb, michael.tremer, peter.mueller, stefan.schantl
Version: 2   
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 11542    

Description Edwin 2017-04-01 11:11:07 UTC 
See http://forum.ipfire.org/viewtopic.php?f=52&t=18344.

When using VRT rules the IDS log stays empty.
Stopping and starting IDS does not give error messages in the log as far as I can see. (Besides the flowbit messages I mentioned on the forum).
I am on core 109, but experience this problem since core105. (no one was complaining, so I thought it had to be something in my setup, but now it seems I am not alone with this issue).  

Regards,
   Edwin.
Comment 1 Peter Müller 2018-04-30 19:46:17 UTC 
Hmmm, I have no idea what to do here. Some long time ago I was using VRT, but it used to work. Maybe Stefan can help.
Comment 2 Tim 2018-10-23 18:52:56 UTC 
I'm using the VRT rules without any problem.  This could be down to the ET rules including IP Blocklists, which means that there are a lot of alerts for traffic that is actually blocked by the default firewall input policy.  The VRT rules don't do this - they only alert when it detects a problem, which means much lower alert rates.

Unless you're using windows and have the appropriate rules enabled, in which case the VRT rules will give you lots of warnings about Windows sending USB Metadata to Microsoft.
Comment 3 Michael Tremer 2019-04-12 18:04:32 UTC 
Speaking for the current next tree with suricata, these rules are working.