OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: sja1440 on February 02, 2021, 07:28:57 pm

Title: How can I change a single rule in IDS/IPS from Drop to Alert?
Post by: sja1440 on February 02, 2021, 07:28:57 pm
I would like to modify the action of a single IDS/IPS rule from Drop to Alert because it is generating false positives on my system.

Making the change directly on the rule in the Rules tab and applying has no effect.

I can see no way of using the Policy settings to target a single rule. It seems that I can only use Policy for a whole class of rules.

Can somebody help me do this please?
Title: Re: How can I change a single rule in IDS/IPS from Drop to Alert?
Post by: sja1440 on February 02, 2021, 07:36:23 pm
I rechecked after ten minutes or so and I see that my change had taken effect.

So after making your change in the Rules tab, and applying it, you will see that the old action is still being reported. Just wait a few minutes and it will change to the desired status.

Title: Re: How can I change a single rule in IDS/IPS from Drop to Alert?
Post by: AdSchellevis on February 02, 2021, 08:12:00 pm
Hi,

There was a bug in the single rule edit when a policy matched as well (https://github.com/opnsense/core/issues/4658), not sure if that's also your issue.
To witness the effect of configured policies, you do need to apply them since the rule view shows the installed actions (or single rule modifications when patched with the diff in the issue).

Best regards,

Ad
Title: Re: How can I change a single rule in IDS/IPS from Drop to Alert?
Post by: sja1440 on February 06, 2021, 02:54:01 pm
Thankyou for the response.  I suspect that the my main issue was that I did not fully understand how Policy was working. For the moment I have simply disabled the single rule rather than try to downgrade from Drop to Alert.