Hy!
On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.
At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.
Btw this happenz on TWO installs of OPNsense.
I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.
What is the way to disable this specific rule/rule set? It's spamming my alert email account.
Maybe sign for dying SSD? Smart looked good recently, but after update to 24.1.8 the box did not come back. Remote re-install the hard way :-/
SSD was new when installing OPNsense in March, so apparently not failing SSD. Today the IPS rule came back to life... Sigh...
Did you disable the rule or set it to allow? I would try the opposite of one of these to see what happens. Yes I know allow will still generate a message, but if it gets the function working is it better than not working?
First make sure the config.xml stays correct. If so and the SID is back in the final ruleset it should be easy to report to GitHub with the necessary details.
Cheers,
Franco