[tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all

Tristan supersluether at gmail.com
Thu Oct 6 15:01:46 UTC 2016 

I may have just found a bigger problem: I can't access the Suricata
rulesets from my exit node. The website replies with "Error code 15, This
request was blocked by the security rules." When I try to wget the ruleset
from my exit node, I get error 403 forbidden.

Even if Suricata ships with some basic rulesets, it looks like I wouldn't
be able to update them, because they block Tor exit nodes. Any ideas how to
get around that?

On Thu, Oct 6, 2016 at 9:57 AM, <oconor at email.cz> wrote:

> Our implementation of suricata is a little different. We've got one as IPS
> (just few rules) and second as IDS (all rules (block of rules) are switched
> on). In the log of IDS we determine which chains should be filtered and
> then we filter them one by one on IPS. The main thing is to not to cut of
> any of the customers (in our case).
>
>
> ---------- Původní zpráva ----------
> Od: Tristan <supersluether at gmail.com>
> Komu: tor-relays at lists.torproject.org
> Datum: 6. 10. 2016 16:50:33
> Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
> Suricata or no IPS at all
>
> Suricata allows direct access via the Tor network, Snort's website gave me
> multiple failed Captchas before I could access anything. I'm going to do
> some further research before I even think about implementing anything.
>
> How does one detect false positives when running an IPS? Do you just
> frequently check the alerts and change the rules when necessary?
>
> On Thu, Oct 6, 2016 at 9:45 AM, Ralph Seichter <tor-relays-ml at horus-it.de>
> wrote:
>
> On 06.10.16 16:24, oconor at email.cz wrote:
>
> > The subject of this thread is: Intrusion Prevention System Software -
> > Snort or Suricata
>
> Fixed that for you. ;-)
>
> > If the only thing you wanted to say was, that you're against that,
> > we're probably done ;)
>
> Stating that I oppose the idea of IPS as means of automatic censorship
> of Tor exit nodes is part of the discussion.
>
> -Ralph
> ______________________________ _________________
> tor-relays mailing list
> tor-relays at lists.torproject. org <tor-relays at lists.torproject.org>
> https://lists.torproject.org/ cgi-bin/mailman/listinfo/tor- relays
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>
>
>
>
> --
> Finding information, passing it along. ~SuperSluether
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 
Finding information, passing it along. ~SuperSluether
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161006/1c78e531/attachment-0001.html>

More information about the tor-relays mailing list