Messages

Hello,

can someone of the professionals here in the forum please help me out or explain, why the rules getting reloaded every minute? I didn't find any explanation in the documentation about it.

Attached is a screenshot of the log file as an example.

Regards
Adam

Hello,

after I configured the Intrusion Detection in OPNsence, I wanted to know that the system is doing what it should do. So I looked on the URLhaus Database https://urlhaus.abuse.ch/browse/ for Malware URL's to test my configuration. Surprisingly it didn't block some of the Malware URLs. The same I tried with the rules which are listed in the Rules Tab under Services: Intrusion Detection: Administration. I arbitrarily choose a rule and also here it was the case, that not all downloadable files get blocked.

Here are two examples: The first one has the Signature Id 80863915 and the second Signature Id is 80874829
- The URL http://ajansred.com/audio/image.ico from the first rule got blocked as expected.
- The URL https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-278-1/1dd5709c6955b3627c0ef0171519dd38.zip from the second rule didn't got blocked. These are only two examples, there are several more which the system let pass without blocking. Not even a log entry is made.

The second thing I find out was, that in the Rule configuration Tab around 340 Rules were not set to Block, even though all Rulesets are configured to drop. There are no errors or warnings in the log and the system in general is running really fine. I'm running the version 19.1.4 and the Suricata version is 4.1.3. No special configuration were made nor are a lot of packages running. Just the Firewall, Proxy, Unbound and Intrusion Detection. The Rulesets which I enabled are only the four from abuse.ch. Also the rulesets are up to date and enabled.

Can someone confirm what I found out on my system, or is it just the behavior from my machine.

Regards
Adam