I'w recently enabled IPS on my firewall, wanted to wait untill everything else was set up so i could put all my focus on IPS for a while, And of course i got some stuff in the log that i dont really care about so i disabled them.
Now i get a message at the top of the page saying:
QuoteWe strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor
What is this anyway? is it bad practice to disable single rules?
imho this is still advice and not a requirement. the less you use individual rule management the better. but exceptions (lack of metadata, inapplicable rule etc.) are still possible and acceptable
I desperately want to switch to policies from rules, but the UI tortures me.
I have too many active rules (~24000) and deleting them from the UI is nearly impossible.
I have even written a JavaScript script that deletes them based on UI data, but it works slowly as well (the server is the bottleneck). It will take eons to finish.
Is there any good way to reset the IDS rules and start from scratch?
Also, I fail to understand the difference between the old "Rules" tab and the new "Rules adjustments" tab.
They look similar, but they don't contain the same amount to entries.
So, I am completely lost here. Probably some UX touches are needed there.
UPDATE:
Hm...
Maybe editing the SQLite DB here might do it:
/usr/local/etc/suricata/rules/rules.sqlite
Or it might just destroy my firewall... :\
It seems to contain the rules though... The Administration section rules, not the Policy ones...
OK.
My script worked eventually, after some hours of waiting...
var d = $.Deferred(), prom = d.promise(), times = 0;
d.resolve();
$('#rules tr[data-row-id]').each((i, r) => {
if(times < 0) return;
prom = prom.then(function() { return $.post('/api/ids/settings/delPolicyRule/' + $(r).attr('data-row-id')).promise(); } );
times++;
if(times > 100000) { times = -1; prom = prom.then($.post('/api/ids/service/reconfigure').promise()); return; }
});
prom = prom.then(function() { return $.post('/api/ids/service/reconfigure').promise(); });
You need to :
- Go to this URL : /ui/ids/policy#rules
- Select to show ALL rule adjustments
- Open the dev tools console in the browser, go to the console tab, paste it in and hit Enter
- Monitor the requests in the Network tab to see when it will finish. It can take several hours if you have many rule adjustments.
Eventually, it will delete everything and then you can start all over....
Now, I went from 24000 rules adjustments to only 3!
Could someone explain how policies are different from just enabling drop rules? I would think the granularity of the rules would be better, so you do not capture packets that are actually good? Am I reading this wrong?
@spetrillo
imho it is just more convenient for those cases when the rules can be combined according to some criteria. makes it possible not to overload the config with separate rules