OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: Sundial on July 08, 2016, 03:29:29 am
-
I just installed a fresh copy of 16.7.r1 in a small production environment. I'm testing out the Suricata Intrusion Detection feature. I currently have it setup to alert and not drop anything so that I can gather some information for tuning before I drop. However, when I disable a rule in the "Rules" tab by unchecking the "Enabled" box for the rule, I still keep getting alerts. Even after a reboot, the rule is still unchecked but the alert for that rules keeps happening. Any advice would be appreciated.
-
I'm not sure what was happening the first time, but since the last Rule download and update everything appears to work as I would expect. I can now manually disable a rule and it actually appears to disable.
-
If that should happen again, please let us know.
-
Hi Sundial,
i just have tested this and its seems to be ok on my VM OPNSENSE.
Just to double check, after changing the rules from drop to alert, , you have to download the rules again and apply them.
-
Not any more. I downloaded the rules initially and then after getting lots of alerts, I tried to disable them (including clicking Apply on the Rules tab). The rules never seemed to "Apply". Then I manually downloaded the rules again. After the second manual download everything is working liked I'd expect and I can't repeat the "bad" behavior or explain it. During the bad times, I was having some random, intermittent web interface issues (..it would freeze or have extra long pauses and sometimes require restarting...and yes, I was very patient waiting several minutes...and the machine is a quad core i3 with 4GB RAM and SSD). Perhaps the web interface issues are the real culprit. However, almost all of those issues are gone now even though I haven't really changed anything but did reboot a few times. I'm sorry I can't provide real diagnostic information, but everything has been working as I'd expect for over a day now.