[tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all
Tristan
supersluether at gmail.com
Thu Oct 6 15:13:16 UTC 2016
I think I'm doing this wrong. I was trying to access the ruleset links from
this page: https://suricata.readthedocs.io/en/latest/rules/intro.html
But I think I'm actually supposed to get the rulesets from somewhere else:
https://suricata.readthedocs.io/en/latest/oinkmaster.html
I can access Suricata, I'm just trying to figure out how all this works
before I actually start to mess around with it on a server.
On Thu, Oct 6, 2016 at 10:09 AM, <oconor at email.cz> wrote:
> You can't access suricata directly?
>
> ---------- Původní zpráva ----------
> Od: Tristan <supersluether at gmail.com>
> Komu: tor-relays at lists.torproject.org
> Datum: 6. 10. 2016 17:02:19
> Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
> Suricata or no IPS at all
>
> I may have just found a bigger problem: I can't access the Suricata
> rulesets from my exit node. The website replies with "Error code 15, This
> request was blocked by the security rules." When I try to wget the ruleset
> from my exit node, I get error 403 forbidden.
>
> Even if Suricata ships with some basic rulesets, it looks like I wouldn't
> be able to update them, because they block Tor exit nodes. Any ideas how to
> get around that?
>
> On Thu, Oct 6, 2016 at 9:57 AM, <oconor at email.cz> wrote:
>
> Our implementation of suricata is a little different. We've got one as IPS
> (just few rules) and second as IDS (all rules (block of rules) are switched
> on). In the log of IDS we determine which chains should be filtered and
> then we filter them one by one on IPS. The main thing is to not to cut of
> any of the customers (in our case).
>
>
> ---------- Původní zpráva ----------
> Od: Tristan <supersluether at gmail.com>
> Komu: tor-relays at lists.torproject. org <tor-relays at lists.torproject.org>
> Datum: 6. 10. 2016 16:50:33
> Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
> Suricata or no IPS at all
>
> Suricata allows direct access via the Tor network, Snort's website gave me
> multiple failed Captchas before I could access anything. I'm going to do
> some further research before I even think about implementing anything.
>
> How does one detect false positives when running an IPS? Do you just
> frequently check the alerts and change the rules when necessary?
>
> On Thu, Oct 6, 2016 at 9:45 AM, Ralph Seichter <tor-relays-ml at horus-it.de>
> wrote:
>
> On 06.10.16 16:24, oconor at email.cz wrote:
>
> > The subject of this thread is: Intrusion Prevention System Software -
> > Snort or Suricata
>
> Fixed that for you. ;-)
>
> > If the only thing you wanted to say was, that you're against that,
> > we're probably done ;)
>
> Stating that I oppose the idea of IPS as means of automatic censorship
> of Tor exit nodes is part of the discussion.
>
> -Ralph
> ______________________________ _________________
> tor-relays mailing list
> tor-relays at lists.torproject. org <tor-relays at lists.torproject.org>
> https://lists.torproject.org/ cgi-bin/mailman/listinfo/tor- relays
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>
>
>
>
> --
> Finding information, passing it along. ~SuperSluether
> ______________________________ _________________
> tor-relays mailing list
> tor-relays at lists.torproject. org <tor-relays at lists.torproject.org>
> https://lists.torproject.org/ cgi-bin/mailman/listinfo/tor- relays
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>
>
> ______________________________ _________________
> tor-relays mailing list
> tor-relays at lists.torproject. org <tor-relays at lists.torproject.org>
> https://lists.torproject.org/ cgi-bin/mailman/listinfo/tor- relays
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>
>
>
>
> --
> Finding information, passing it along. ~SuperSluether
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
--
Finding information, passing it along. ~SuperSluether
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161006/27e6b898/attachment.html>
More information about the tor-relays
mailing list