In some cases, legitimate traffic may be detected as an intrusion. If it happens, you can define an exception for the detected intrusion.
Note: This can also help to improve the internet connection speed, where it is affected by excessive IPS usage (symptom can be high memory usage by snort process)
The false detection may appear as a blacklist item.
The following entry is generated in Security logs:
IPS: Packet drop, severity: Blacklist, Rule ID: 1:2522571 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 572, proto:UDP, ip/port:192.168.11.120:59073 -> x.x.x.x:123
- In the administration interface, navigate to Logs > Security.
- Find entries about filtered traffic.
- Copy the necessary Rule ID i.e. 2522571
- In the administration interface, navigate to Configuration > Intrusion Prevention.
- Click the Advanced button.
- In the Advanced Intrusion Prevention Settings dialog, click Add.
- Paste the Rule ID number and description.
- Click OK and Apply.
Kerio Control IPS module is based on the open-source library called Snort. It is possible to modify Snort rules directly using SSH:
- Log in via SSH to Kerio Control console.
- Force the system to be writable:
mount -o rw,remount /
/opt/kerio/winroute/snort/rulesfolder and modify the file
used.rulesaccording to your needs.
It is NOT recommended to modify this file unless you know exactly what you are doing. The recommended way is to perform changes using Kerio Control Webadmin.
The legitimate traffic is allowed (not prevented as an intrusion anymore).