OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: siga75 on January 31, 2021, 03:13:17 pm

Title: suricata: cannot edit action anymore
Post by: siga75 on January 31, 2021, 03:13:17 pm

wanted to change some pt.research rule from drop to alert, it's not possible anymore, both from the alert tab and the rules tab itself, the change is not taken

Title: Re: suricata: cannot edit action anymore
Post by: madj42 on January 31, 2021, 05:09:10 pm

I can confirm this.  I haven't had much time myself to look at logs.  Have you been able to see if any of the system or suricata logs say anything?

Title: Re: suricata: cannot edit action anymore
Post by: andreaslink on January 31, 2021, 05:24:57 pm

I can second this as well.

I got some false positives (at least I hope they were false) on SID 2018375 "ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set", where I would see/test if it is making sense; so for testing I wanted to set this one from "Drop" to "Alert" only, the change is not saved. Even after applying and restart of service.

Title: Re: suricata: cannot edit action anymore
Post by: tcpip on February 01, 2021, 10:44:48 am

I discovered this issue because some pt.research rules (11002816, 11003611) created false positives and I wanted to edit the rules. So, I can confirm the issue. For me this seems to only happen when using a policy which overwrites the action and then editing a rule to overrule the policy.

After excluding the pt.research rules from my policy to overwrite alerts with drops, there were no more alerts in the alerts tab. Even though the rules are set to alert by default. Very strange.