OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Styx13 on February 23, 2023, 04:39:07 am

Title: Suricata Policies not working as expected?
Post by: Styx13 on February 23, 2023, 04:39:07 am

Hello,

Running OPNSense 23.1.1_2 with Suricata enabled as IPS.

I wanted to update which rules are enabled and drop/alert and decided to cleanup all my policies, rule adjustments and enabled rulesets and start back from scratch.

I then enabled the following rulesets:

• abuse.ch/Feodo Tracker
• abuse.ch/SSL Fingerprint Blacklist
• abuse.ch/SSL IP Blacklist
• abuse.ch/ThreatFox
• abuse.ch/URLhaus
• ET open/drop
• ET open/dshield
• ET open/emerging-malware
• ET open/emerging-mobile_malware

I then went and created a first policy that I called "Disable all" which, as its name indicates, disables all rules ("Nothing Selected" everywhere and New Action = Disable).
I enabled it and applied and then went to check that all rules were in deed disabled.

Then I disabled that "Disable all" rule and created a new one called "Specific Ruleset all rules drop".
In the "Specific Ruleset all rules drop" I selected the following rulesets:

• abuse.ch/Feodo Tracker
• abuse.ch/SSL Fingerprint Blacklist
• abuse.ch/SSL IP Blacklist
• abuse.ch/ThreatFox
• abuse.ch/URLhaus
• ET open/drop
• ET open/dshield

Left all the other selection fields to "Nothing selected" and set New Action to "Drop". My goal being to go and enable all the rules for those selected rulesets and set the action to drop.

I made sure that policy "Specific Rulesets all rules drop" was the only one enabled and clicked "Apply"
But then, when I go and check the rule list, the first thing I observe is that a lot of rules are enabled, but on alert (instead of drop).
Also I can see some (but not all) of the rules from the rulesets I did not select (ET open/emerging-malware and ET open/emerging-mobile_malware) are enabled and set to alert as well, when they should have remained disabled.

I initially created both policies with priority 0 (and as described above, I was making sure I only enable one at a time when I click "apply"), and then I tried them again by assigning different priorities to them (and still making sure only one is enable when I hit "apply"), but that did not make a difference.


I did not remember running in this problem back in OPNsense 22.x

Am I doing something wrong here? or could something have changed in OPNsense 23.x ?

Title: Re: Suricata Policies not working as expected?
Post by: abulafia on February 23, 2023, 04:38:10 pm

For most of these, you shouldn't use Suricata at all but use firewall aliases and rules to block these IPs directly, as it is (said to be) a lot more performant.

In Suricata, only use the following:
   
    abuse.ch/SSL Fingerprint Blacklist
 

Not sure if this is a rules or IP based list:
    abuse.ch/ThreatFox
   

Title: Re: Suricata Policies not working as expected?
Post by: Styx13 on February 23, 2023, 06:35:50 pm

Thank you for your suggestion, you are most likely correct.

However this does not address the main reason for my post: it seems policies are not working as expected, or I am doing something wrong.

I picked those rulesets mostly as examples to illustrate the issue and the way I was configuring it in case there's something wrong with the way I did it.

So I am still wondering if there is something going on with Policy management in OPNsense Intrusion Prevention?