OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: dot1x on March 28, 2024, 03:45:09 pm

Title: Drop Policy and directly set Rule to "Drop" not working.
Post by: dot1x on March 28, 2024, 03:45:09 pm

Hey there.

I have a Problem in the IPS of OPNsense.

I did download and enable some rules and i see them all hitting in the alert tab. I also created a Policy including all downloaded rules to set them to drop.

When i now look at the alert tab, i see that requests get dropped. Like Network trojan and many other things.

But when it comes to the emerging threads scan category. Everything is allowed. I tried different NMAP scans, they all get detected but are allowed and not like i would like to have them on "drop".

So i thought something must be wrong or bugged with the policy. So i set all corresponding emerging thread scan rules to drop in the "rules" tab.

Restarted Suricata, restartet the firewall itself. But still, different rules not just scan just get allowed. How is this possible when i did set them to drop via policy and rule tab?

Thanks for any help :)

Title: Re: Drop Policy and directly set Rule to "Drop" not working.
Post by: Greg_E on March 28, 2024, 06:32:26 pm

After changing them, did you go back to the rules tab and hit apply? I'm guessing you did but thought I would ask.

Otherwise I'm not sure as you did everything else I would recommend. Something I really need to sit down and figure out and it might be a case of messing it up once, and the mess up stays on the machine so wipe the drive and start from a config backup (probably my next step for a couple of reasons).