Hi,
So far I have used Astaro for months, and it's working great. The only one thing I can't figure it out is that I NEVER see any IPS warning in daily report.
I check /var/log/ips.log or old archive files, most of them are empty. I can understand its report is empty if that case. However, when I pick a IPS file, which has some attacks record in it, and go back to check daily report, I still see nothing!
Another thing is the IPS sensor. I have another IDS installed on same network. All traffic will be mirrored to that IDS. Most of time IDS detected something, but Astaro IPS didn't report anything. From iptables logs, Astaro didn't detect those incoming access/attacks, and block them, but, why only block them but no IPS warning?
I think IPS should perform "detect all incoming traffic" and "block if bad traffic or none open service", not "block none open service traffic" and "detect and block the traffic in open service", am I correct?
From Astaro's configuration, it's running snort inline, which should "detect and block bad traffic".
Thanks,
Hsinan
This thread was automatically locked due to age.
