Overview
In some cases, legitimate traffic may be detected as an intrusion. If it happens, you can define an exception for the detected intrusion.
Note: This can also help to improve the internet connection speed, where it is affected by excessive IPS usage (symptom can be high memory usage by snort process)
The false detection may appear as a blacklist item.
The following entry is generated in Security logs:
IPS: Packet drop, severity: Blacklist, Rule ID: 1:2522571 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 572, proto:UDP, ip/port:192.168.11.120:59073 -> x.x.x.x:123
Solution
Automatic process
- In the administration interface, navigate to Logs > Security.
- Find entries about filtered traffic.
- Copy the necessary Rule ID i.e. 2522571
- In the administration interface, navigate to Configuration > Intrusion Prevention.
- Click the Advanced button.
- In the Advanced Intrusion Prevention Settings dialog, click Add.
- Paste the Rule ID number and description.
- Click OK and Apply.
Manual process
Kerio Control IPS module is based on the open-source library called Snort. It is possible to modify Snort rules directly using SSH:
- Log in via SSH to Kerio Control console.
- Force the system to be writable:
mount -o rw,remount / - Open
/opt/kerio/winroute/snort/rulesfolder and modify the fileused.rulesaccording to your needs.
It is NOT recommended to modify this file unless you know exactly what you are doing. The recommended way is to perform changes using Kerio Control Webadmin.
For more information about Snort rules, please refer to the official Snort website and the Anatomy of a Snort rule infographic.
Confirmation
The legitimate traffic is allowed (not prevented as an intrusion anymore).
Related Articles
Configuring Intrusion Prevention