I have configured Suricate on WAN interface, enabled IPS mode, downloaded and installed ET Telemetry rules and added token, created policy with all rulesets selected, action set to Alert and new action set to Drop, the other parameters have all been left to default values.
I started getting alerts in Services>Intrusion Detection>Administration>Alerts however it shows 'allowed' in action column instead of blocked.
Kindly could anyone please shed some light on how to properly configure Suricata in IPS mode to actually block traffic?
One thing I ran into that confused me is that the policy has a 'from' action (at the top) and a 'to' action (at the end). The top action is by default set to 'Drop'. So, if you change the bottom one to 'Drop' you are in effect saying: if the action is 'Drop' change it to 'Drop'.
Make sure that you create a policy to change (Action, top) 'Alert' to (New Action, bottom)'Drop'.
Quote from: gctwnl on April 22, 2023, 12:52:32 PM
One thing I ran into that confused me is that the policy has a 'from' action (at the top) and a 'to' action (at the end). The top action is by default set to 'Drop'. So, if you change the bottom one to 'Drop' you are in effect saying: if the action is 'Drop' change it to 'Drop'.
Make sure that you create a policy to change (Action, top) 'Alert' to (New Action, bottom)'Drop'.
I created a Policy and did exactly that however I am still getting alerts instead of drops
I forgot to mention I am running latest OPNsense business 22.10.2.
I made no progresses so far, was anybody else using latest OPNsense 22.10.2 commercial edition able to configure IPS and get it working to drop incoming WAN traffic instead of just getting alerts ?
I carefully read the official documentation multiple times however the traffic is not dropped
Not the same OPN version but you need to tick in Administration tab IPS mode.
I enabled IPS mode and followed exactly the steps described in official OPNsense documentation however it's not working, any help in sorting out this issue would be greatly appreciated.
Ok I missed that . If you go to Administration | Rules . There Filters drop down and chose Action: Action/Drop, do you get your rules there appearing?
This is to verify, not to set.
My policies are slightly different, maybe you can try that:
Action (at top) is Alert, Drop.
New action (at bottom) is Drop.
Quote from: cookiemonster on April 26, 2023, 02:41:15 PM
Ok I missed that . If you go to Administration | Rules . There Filters drop down and chose Action: Action/Drop, do you get your rules there appearing?
This is to verify, not to set.
My policies are slightly different, maybe you can try that:
Action (at top) is Alert, Drop.
New action (at bottom) is Drop.
My policy is exactly configured like that, also rules are appearing in the drop down selector, I selected them all.
It's just that the policy doesn't get applied and can't understand why.
Any clues in /var/log/suricata/latest.log ?
Quote from: cookiemonster on April 26, 2023, 10:14:55 PM
Any clues in /var/log/suricata/latest.log ?
No, just IPS alerts logged, the same alerts shown in GUI Services>Intrusion Detection>Administration>Alerts
My policy is configured as follows:
Enabled checked
Priority 0
Rulesets all selected
Action Alert,Drop
Rules
affected products Any
all the remaining items Nothing selected
New action Drop
I have enabled IPS for WAN interface only and added my WAN IP subnet to Home Networks, IPS mode enabled, Promiscuous mode enabled, Pattern matcher set to Hyperscan, Detect profile set to High, Hardware offloading disabled in Interface>Settings as indicated official documentation
The only rules enabled and downloaded are ET Pro Telemetry Edition from OPNsense with valid subscription
I'm so sorry, I have no more ideas for this one.
I have upgraded to latest OPNsense business 23.4 and the issue persists so this definitely seems to be a bug, hope the development team could have a look and fix