I just upgraded to 24.1.3_1, but I still cannot see this new checkbox, which would allow me to get rid of my current /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml customization:
https://github.com/opnsense/core/pull/7271/commits/70dfce8d5f95a5e71da48f145e01d1ce9d22503f
Did that change not make it into 24.1.3?
While the checkbox is not there yet. I think that the options were set by default to follow the Suricata 6 behavior.
Quoteo intrusion detection: set exception-policy and app-layer.error-policy to their advertised defaults
This is what I understand from the release text.
May be the checkbox will be added later... but I don't know for sure
QuoteI think that the options were set by default to follow the Suricata 6 behavior.
That's what I thought as well when I read the upgrade announcement, but, apparently, the app-layer.error-policy value still follows Suricata 7 behavior: Our VNC repeater connections work in IPS mode only if I manually set
app-layer:
error-policy: ignorein
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml.
The planned checkbox would allow me to get rid of that customization.
I have to admit that I'm not a suricata expert. If there is a better way to "whitelist" a custom app-layer protocol to a specific port on a specific IP, I'm open to suggestions.