OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: HenrysCat on February 16, 2021, 12:54:06 pm

Title: Change Action to Drop in bulk
Post by: HenrysCat on February 16, 2021, 12:54:06 pm

Under Services > Intrusion Detection > Administration is there an easy way to set all enabled to Drop, I have spent the best part of an hour searching to no avail, the list 60814 entries and I can show max 1000 per page, and if I select Filters > status/enabled nothing changes.

I'm sure I'm missing something obvious but just can't find it.

Thanks all.

Title: Re: Chnage Action to Drop in bulk
Post by: errored out on February 17, 2021, 03:57:36 am

List all the rule you want to configure to drop.  Click the check box at the top of the list (to the left of sid).  This will select (check) all the rules listed below the sid checkbox and click on drop of the bottom of the rule list (below the last rule)

Title: Re: Chnage Action to Drop in bulk
Post by: HenrysCat on February 17, 2021, 07:02:45 am

I found that but there are 60k to go through, not really practical.

Is there any clear documentation or forum post on how to configure the policy section, again I have searched but found nothing useful.

Thanks

Title: Re: Chnage Action to Drop in bulk
Post by: errored out on February 21, 2021, 06:19:58 am

I don't remember enabling the rules.  I believe they were already enabled by default; at least the important ones.  I.E. DOS, malware, trojans, etc.    Are all the rules disabled by default? 

Thanks for helping me on my other thread.
https://forum.opnsense.org/index.php?topic=21573.0

Title: Re: Chnage Action to Drop in bulk
Post by: mimugmail on February 21, 2021, 06:39:12 am

Quote from: HenrysCat on February 16, 2021, 12:54:06 pm

Under Services > Intrusion Detection > Administration is there an easy way to set all enabled to Drop, I have spent the best part of an hour searching to no avail, the list 60814 entries and I can show max 1000 per page, and if I select Filters > status/enabled nothing changes.

I'm sure I'm missing something obvious but just can't find it.

Thanks all.

In Tab Downloads per category should be one

Title: Re: Chnage Action to Drop in bulk
Post by: Superduke on February 22, 2021, 09:00:03 pm

Quote from: mimugmail on February 21, 2021, 06:39:12 am

Quote from: HenrysCat on February 16, 2021, 12:54:06 pm

Under Services > Intrusion Detection > Administration is there an easy way to set all enabled to Drop, I have spent the best part of an hour searching to no avail, the list 60814 entries and I can show max 1000 per page, and if I select Filters > status/enabled nothing changes.

I'm sure I'm missing something obvious but just can't find it.

Thanks all.

In Tab Downloads per category should be one

I was searching for the same functionality since the 21.1 migration.  I haven't found one yet and there is nothing shown in the Downloads tab of note.....has anyone solved this yet?  Seems pointless that an IDS/IPS can't prevent without hours of mindless clicking 'enable'.....

Title: Re: Change Action to Drop in bulk
Post by: HenrysCat on February 22, 2021, 09:52:31 pm

I finally figured it out, you have to set up a policy.
Under Rulesets tick the ones you want then set up as in screenshot.

(https://i.imgrpost.com/imgr/2021/02/22/IDS-policy.md.png) (https://imgrpost.com/image/DtLc2)

Title: Re: Change Action to Drop in bulk
Post by: Superduke on February 23, 2021, 02:02:32 pm

Thank you.....I did have a policy set up, but the alerts log still seemed to show that it wasn't blocked or dropped.

But I deleted that one and created a new one just in case.  FWIW, I ran a speedtest and my performance goes WAY down....since the 21.1 migration, suricata isn't playing nice....not sure why.

Title: Re: Change Action to Drop in bulk
Post by: NetworkNinja on March 01, 2021, 02:52:05 am

The option to Bulk set the Action on the ruleset is missing. Is it a bug?

https://imgur.com/jD9EUq7