OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: kc6785 on April 05, 2020, 08:26:46 pm

Title: diabled IDS alert still alerting
Post by: kc6785 on April 05, 2020, 08:26:46 pm: Hi, forgive me for another newbee question.

I downloaded and enabled all the rulesets in the IDS with alert only, and am getting lots of alerts, but only from a few rules. So on the Alerts tab, I clicked on the Info icon on an alert, and unchecked the "Enabled" box in the pop-up Alert Info window. So this Alert should be disabled now. I reclicked the "info" icon and reopened the Info window to confirm.

But even after I restarted the service, or restarted the opnsense box, the same alert is still coming.

What did I miss? How to really disable this alert or rule?

Thanks in advance for your help.
Title: Re: diabled IDS alert still alerting
Post by: kc6785 on April 08, 2020, 03:33:05 am: I will add a little more detail to this problem.

For example, one of the Alert I just got again is "ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel". If I click the Info icon to the right of the alert instance, the Alert info window pops up. At the bottom of the window, Configured Action: Alert is selected, but Enabled is unchecked.

If I go to Rules, and find this rule 2022913, the Enabled check box to the right of this rule is also unchecked.

So you see, this rule is disabled, but the alerts are still coming for this rule.

Any one can help?

SMF 2.0.19 | SMF © 2021, Simple Machines
Privacy Policy