This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgarding from V5: Where is my IPS ?

Hello everyone,

We're considering moving from Astaro V5 to V7 and I'm doing to preliminary study on the new version.

My biggest "culture shock" was the IPS: gone are my nice snort rules. Instead, I see a dozen extremely broad categories with ver little details and close to zero control.

My questions are, actually, very simple:

- How can I define custom rules ?
- How can I control individual rules behavior ?
- Is snort still used for the IPS part ?
- Has the logging been improved ? Can we now get (somehow) a full packet dump for specific rules ?

Thanks,
Stephane

This thread was automatically locked due to age.

Parents

0 BrucekConvergent over 18 years ago

V7:

--can't define custom rules (and I've gotten no ETA on getting this functionality back)
--You can disable or change behavior (drop or alert, etc.) for an individual rule in the exceptions tab... you add the rule to the modification list by entering it's signature ID and checking the appropriate boxes.
--Yep, still using Snort
--To get full packets, you have to run tcpdump from the shell.
Cancel
Vote Up 0 Vote Down

Cancel
0 StephaneGROBETY over 18 years ago in reply to BrucekConvergent

Thanks for the answers.

I suppose that I could also add the rules in snort manually, but in that case will it get deleted with every new download ? And will it be included in the backups ?
Cancel
Vote Up 0 Vote Down

Cancel
0 hspcd over 18 years ago in reply to StephaneGROBETY

This is a regression in feature richness in my opinion. One of the great things about the previous versions of Astaro was the ability to modify or add snort rules on the fly.

Astaro needs to bring this ability back to the product.

- Clay
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 18 years ago in reply to hspcd

Making any changes via the console (bypassing Webadmin) are not supported; I've found that such modifications are subject to being overwritten by system up2dates.
Cancel
Vote Up 0 Vote Down

Cancel
0 lightning over 17 years ago in reply to BrucekConvergent

Ok, this is has finally got me annoyed to no end. Give us back control of our IPS rule sets. I am almost to the point of turning it off on Astaro and putting a dedicated SNORT box up. Which would defeat the purpose of having Astaro in the first place.

Aaron
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 17 years ago in reply to lightning

A little update; I've been told that "soon" we should be expecting to get our custom rules back... While I do like the fact that I can now manage the rules easier by category, I also like to be able to add custom rules. It's on it's way.
Cancel
Vote Up 0 Vote Down

Cancel
0 simby over 17 years ago in reply to BrucekConvergent

when? in new v of astaro 7 ?
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 17 years ago in reply to simby

From what I understand, the IPS custom rule functionality is coming in an up2date to Version 7... I'm hearing it's near the top of the list.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 17 years ago in reply to simby

From what I understand, the IPS custom rule functionality is coming in an up2date to Version 7... I'm hearing it's near the top of the list.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ABx over 17 years ago in reply to BrucekConvergent

I just finally updated to v7, and that was something that was annoying me as well. I like the new interface, but I really really like to be able to see the individual rules. I DON'T like having to disable an entire catagory if only one rule gives me grief.

I am quite glad to hear that they are coming around on the subject, though. Now if they'd only allow us to import other rule-sets like Bleeding Snort [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 17 years ago in reply to ABx

ABx, you do NOT have to disable an entire category if one rule causes false positives... As the manual points out (and as I have used this function myself)...

Go to Network Security / Intrusion Protection System / Advanced Tab. Under "Modified Rules" Add the offending rule and disable the rule altogether, or just turn off alerting (your choice).
Cancel
Vote Up 0 Vote Down

Cancel