Hi,
I am new to OPNsense, using OPNsense 21.1.4-amd64, and I think I have read all the relevant IPS documentation. Using the IDS, IPS, Promiscuous checks on, selected LAN interface.
The main problem is the Enable (Drop filter) is not shown, so all rules remain as Alert, which goes against the P in the IPS. See attach 1.
Also relevant, if I edit one ruleset, I no longer see the Input filter dropdown (thus, no way to select "Change all alerts to drop actions"). See attach 2.
To make this all even more bizarre, when disabling IDS/IPS and enabling them again (and re-enabling rules, then Apply), we found that:
- some tests are not even detected (i.e. test eicar.com.txt can be downloaded and nothing shows on Alerts tab). See attach 3. or
- something is detected and shown in the Alerts tab but... Accepted (i.e. "ET POLICY Dropbox.com Offsite File Backup in Use"). I don't have a screen capture of this right now.
Am I missing something very obvious? Thank you
I just could capture the dropbox "alert"
I am a newbie to OPNsense, too.
I can tell you that you get the eicar test done with a proxy and the antivirus plugin:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html (https://docs.opnsense.org/manual/how-tos/proxytransparent.html)
https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html (https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html)
https://docs.opnsense.org/manual/how-tos/clamav.html?highlight=clamav (https://docs.opnsense.org/manual/how-tos/clamav.html?highlight=clamav)
Hi, sorry I'm not sure how your message is related to my question/s. Thank you
I have the same problem, missing those buttons in Download.
Did you solve the problem?
nope, i switched to pfsense instead, that was a no-go
Not the solution I was hoping to read. Thank you anyway.
As of 21.1 you can use policies to change rule behaviour (https://docs.opnsense.org/manual/ips.html#policies), to mimic the old behaviour just add a single policy rule matching the rulesets you want to drop and select "alert" as action (which is default for almost all supplied rules) and set "new action" to drop.
Old settings should have been migrated automatically.
The policy editor is available in the menu on the left (Services -> Intrusion detection -> Policy).
Best regards,
Ad
hi Ad,
not sure if you were referring to my first post, but this wasn't an upgrade or migration, those problems occurred during a clean install.
About where to find the filters, it was indeed, we changed that in 21.1.
Why rules won't match can have different reasons, I would always start by checking if an alert is triggered and what suricata thinks it should do with it (the Alerts tab). The quickest test usually is to enable our test rule (opnsense ruleset) and download eicar over http (your curl command looks ok in that regard).
The rules tab represents the current settings after applying your changes (query for eicar to see if it's set to drop).
Best regards,
Ad
Thank you, that wasn't very intuitive, but it's working!