OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Taomyn on March 06, 2021, 10:55:15 am
-
I saw the warning that said
We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor
So I removed all my rules to start fresh with policies - I really wasn't using ID properly and everything was set to just alert, but now everything seems to be blocking.
I'm trying to set a ruleset from drop to alert but the policy has no effect and the traffic continues to be blocked and reported as such.
Oh and this is logged every time the service is started:
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Enable Unsolicited Messages"; dnp3_func:enable_unsolicited; classtype:protocol-command-decode; sid:2821687; rev:3; metadata:created_at 2016_08_15, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 46
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Cold Restart"; dnp3_func:cold_restart; classtype:protocol-command-decode; sid:2821683; rev:5; metadata:created_at 2016_08_15, former_category SCADA, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 45
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
-
Hi
Coud you provide more info please (alerts, rules parameters)?
rules and errors from log are not related to policies and not from emerging-p2p ruleset imho
-
Hi
Coud you provide more info please (alerts, rules parameters)?
rules and errors from log are not related to policies and not from emerging-p2p ruleset imho
All the rules are set to "drop", but I have filtered them with "P2P" to show the ones in question.
-
All the rules are set to "drop"
hm. if it set to drop it should drop?
if you click "info" pencil for this rules, what "matched_policy" it shows for that rules?
-
All the rules are set to "drop"
hm. if it set to drop it should drop?
if you click "info" pencil for this rules, what "matched_policy" it shows for that rules?
The problem is, the I thought policy I created should be changing it from drop to alert if I'm not supposed to be making rule changes as warned before.
-
I thought policy I created should be changing it from drop to alert
yes it should but only if policy is actually applied to the rule.
so I ask you to look at the matched_policy value for these rules.
perhaps these rules are taken out of the policy (matched policy = __manual__) and they need to be returned from the manual state by deleting from Services: Intrusion Detection: Policy->Rule adjustments
-
I thought policy I created should be changing it from drop to alert
yes it should but only if policy is actually applied to the rule.
so I ask you to look at the matched_policy value for these rules.
perhaps these rules are taken out of the policy (matched policy = __manual__) and they need to be returned from the manual state by deleting from Services: Intrusion Detection: Policy->Rule adjustments
The "Rule adjustments" section is empty
-
got it, thanks. so what matched_policy it shows for this "drop" rules?
-
one more thing: afaik all emerging-p2p.rules is Alert by default.
you set your Policy to "get all emerging-p2p.rules with the default Drop action and set action to Alert". so imho there should be no rules under this policy (you can chack this by filtering rules by "matched_policy" in Services: Intrusion Detection: Administration: Rules)
-
one more thing: afaik all emerging-p2p.rules is Alert by default.
you set your Policy to "get all emerging-p2p.rules with the default Drop action and set action to Alert". so imho there should be no rules under this policy (you can chack this by filtering rules by "matched_policy" in Services: Intrusion Detection: Administration: Rules)
All of my rules are set to "drop", before I had to manually override these to make them all "alert".
-
like everything is correct and logical. to apply the policy, you need:
1. Configure the policy so that its filters match the default rules settings (as they are specified in the source files). That is, your policy should indicate Action "Alert" or "Nothing Selected"
2. Remove the corresponding rules from the _manual_. this can be done on the Services: Intrusion Detection: Policy: Rule adjustments tab.
What I don't understand is why your manual rules are not listed in that tab.
what opn version?
please share a "rule details" screen of one of the p2p rules from Services: Intrusion Detection: Administration:Rules
-
like everything is correct and logical. to apply the policy, you need:
1. Configure the policy so that its filters match the default rules settings (as they are specified in the source files). That is, your policy should indicate Action "Alert" or "Nothing Selected"
2. Remove the corresponding rules from the _manual_. this can be done on the Services: Intrusion Detection: Policy: Rule adjustments tab.
What I don't understand is why your manual rules are not listed in that tab.
what opn version?
please share a "rule details" screen of one of the p2p rules from Services: Intrusion Detection: Administration:Rules
Maybe as I have no manual rules?
I'm happy to flush all the Intrusion Detection settings back to factory default as I wasn't making full use of it anyway until now. I'll just make a note of what settings I have and the rulesets I was downloading, but you'd need to tell me how best to do that.
-
Maybe as I have no manual rules?
hm. maybe: looks like you have another policy ("Default filter") and this policy is successfully applied to p2p rules.
"New action" of this policy is Drop? ;)
what are the parameters of this policy?
in any case, for the p2p policy, the "Action" filter value should be changed to Alert or Nothing
-
Maybe as I have no manual rules?
hm. maybe: looks like you have another policy ("Default filter") and this policy is successfully applied to p2p rules.
"New action" of this policy is Drop? ;)
what are the parameters of this policy?
in any case, for the p2p policy, the "Action" filter value should be changed to Alert or Nothing
Should I delete the default filter?
-
imho changing the "Action" parameter (the third drop-down list from the top) to Alert + Drop will be enough. The policy has a lower priority value and will have to apply to p2p rules
-
but I hope you understand that the existing "Default filter" policy now transfers all other rules from Alert to Drop. Many false-positive drops are possible
-
imho changing the "Action" parameter (the third drop-down list from the top) to Alert + Drop will be enough. The policy has a lower priority value and will have to apply to p2p rules
That action worked and all the P2P rules changed to alert, then when I changed the policy back to just "drop" it was still fine. So I disabled both my new policy and the default and now all the rules are back to just "alert" as it was before all this happened.
Now that I understand this a bit more I will try a few things out when I am on-site so as not to break my remote connection. Will let you know what happens.
-
That action worked and all the P2P rules changed to alert
glad to hear
when I changed the policy back to just "drop" it was still fine
just do not rush to conclusions ;)
I will try a few things out when I am on-site so as not to break my remote connection
ok. just keep in mind that there were fixes after 21.1.2.
https://github.com/opnsense/core/issues/4753
fixed by #2696e42 and #8953d03
-
I will try a few things out when I am on-site so as not to break my remote connection
ok. just keep in mind that there were fixes after 21.1.2.
https://github.com/opnsense/core/issues/4753 (https://github.com/opnsense/core/issues/4753)
fixed by #2696e42 and #8953d03
Is it possible for me to pull those fixes down for my install? I think I've done this before but I can't remember how it's done.
-
https://docs.opnsense.org/manual/opnsense_tools.html#id1 ;)
-
https://docs.opnsense.org/manual/opnsense_tools.html#id1 (https://docs.opnsense.org/manual/opnsense_tools.html#id1) ;)
Thanks, and bookmarked 8)