OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: shred on September 10, 2019, 03:04:34 am

Title: Some rules in a ruleset not enabled by default?
Post by: shred on September 10, 2019, 03:04:34 am
On the Intrusion Detection -> Administration page, I noticed when I select a Ruleset on the Downloads page, enable it and then select Download & Update Rules, it enables and downloads fine but when I look at the Rules tab, I see some rules are enabled and others are not. A few questions:

1. Why is this? If I enable a ruleset, I would have thought all of the rules would either be enabled or disabled but that doesn't seem to be the case. What determines which ones are enabled or disabled by default?

2. Is there a quick way to disable or enable all of the rules within a ruleset?
Title: Re: Some rules in a ruleset not enabled by default?
Post by: bunchofreeds on September 12, 2019, 12:45:37 am
I'm not 100% sure of this but I believe the scheduled download of rules will not only add/remove rules within the selected rule-sets, but it will also enable/disable rules as recommended by some 'governing' body.

A consideration could be that any adjustments to what is downloaded 'might' be overwritten by the scheduled download of rules and any sets it updates?

I have not found a way to easily enable/disable ALL rules within a particular rule-set, I have also asked this question but have not had any clarification on if it's a coming feature or that is not easily possible?
The only method I do know of is within the 'Rules' TAB, search for your Rule-Set (e.g. emerging-malware), increase the result count to 1000, then select all and 'Enable' then 'Drop or Alert'.
Of course expect an increase in resource utilisation of your OPNsense appliance...

I would also appreciate any information or guidance regarding this.

Thanks
Title: Re: Some rules in a ruleset not enabled by default?
Post by: bunchofreeds on September 12, 2019, 02:16:18 am
Thought I'd look up a rule and trace it back to the rule-set and then followed a link within OPNsense to the definition and a great FAQ.

https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

All of this information was available to me all the time within OPNsense, linking to external information for an FAQ etc. But I basically hadn't read it...

Sorry OPNsense

Title: Re: Some rules in a ruleset not enabled by default?
Post by: shred on September 12, 2019, 03:33:56 am
Thanks for posting that link. I've seen it before but I must have completely missed that section. I'm assuming you're referring to this paragraph on that site:

"Occasionaly a rule performs badly or has the potential to generate false positives but the detection logic is valuable. In this case ET will ship the rule disabled, and you can enable the rule through use of a rule manager such as oinkmaster or pulledpork."

I'm also assuming these are the rules that are not enabled  by default when you load a ruleset in OPNsense. I guess if they are enabled in the future, do they automatically get enabled when the ruleset is updated in OPNsense?