Bug 11310 - IDS with VRT rules do not work
Summary: IDS with VRT rules do not work
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will affect an average number of users Minor Usability
Assignee: Michael Tremer
QA Contact:
URL:
Keywords:
Depends on:
Blocks: IDSIPSBUGS
  Show dependency treegraph
 
Reported: 2017-04-01 11:11 UTC by Edwin
Modified: 2019-05-20 18:49 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Edwin 2017-04-01 11:11:07 UTC
See http://forum.ipfire.org/viewtopic.php?f=52&t=18344.

When using VRT rules the IDS log stays empty.
Stopping and starting IDS does not give error messages in the log as far as I can see. (Besides the flowbit messages I mentioned on the forum).
I am on core 109, but experience this problem since core105. (no one was complaining, so I thought it had to be something in my setup, but now it seems I am not alone with this issue).  

Regards,
   Edwin.
Comment 1 Peter Müller 2018-04-30 19:46:17 UTC
Hmmm, I have no idea what to do here. Some long time ago I was using VRT, but it used to work. Maybe Stefan can help.
Comment 2 Tim 2018-10-23 18:52:56 UTC
I'm using the VRT rules without any problem.  This could be down to the ET rules including IP Blocklists, which means that there are a lot of alerts for traffic that is actually blocked by the default firewall input policy.  The VRT rules don't do this - they only alert when it detects a problem, which means much lower alert rates.

Unless you're using windows and have the appropriate rules enabled, in which case the VRT rules will give you lots of warnings about Windows sending USB Metadata to Microsoft.
Comment 3 Michael Tremer 2019-04-12 18:04:32 UTC
Speaking for the current next tree with suricata, these rules are working.