1
Intrusion Detection and Prevention / Suricata Policies not working as expected?
« on: February 23, 2023, 04:39:07 am »
Hello,
Running OPNSense 23.1.1_2 with Suricata enabled as IPS.
I wanted to update which rules are enabled and drop/alert and decided to cleanup all my policies, rule adjustments and enabled rulesets and start back from scratch.
I then enabled the following rulesets:
I then went and created a first policy that I called "Disable all" which, as its name indicates, disables all rules ("Nothing Selected" everywhere and New Action = Disable).
I enabled it and applied and then went to check that all rules were in deed disabled.
Then I disabled that "Disable all" rule and created a new one called "Specific Ruleset all rules drop".
In the "Specific Ruleset all rules drop" I selected the following rulesets:
I made sure that policy "Specific Rulesets all rules drop" was the only one enabled and clicked "Apply"
But then, when I go and check the rule list, the first thing I observe is that a lot of rules are enabled, but on alert (instead of drop).
Also I can see some (but not all) of the rules from the rulesets I did not select (ET open/emerging-malware and ET open/emerging-mobile_malware) are enabled and set to alert as well, when they should have remained disabled.
I initially created both policies with priority 0 (and as described above, I was making sure I only enable one at a time when I click "apply"), and then I tried them again by assigning different priorities to them (and still making sure only one is enable when I hit "apply"), but that did not make a difference.
I did not remember running in this problem back in OPNsense 22.x
Am I doing something wrong here? or could something have changed in OPNsense 23.x ?
Running OPNSense 23.1.1_2 with Suricata enabled as IPS.
I wanted to update which rules are enabled and drop/alert and decided to cleanup all my policies, rule adjustments and enabled rulesets and start back from scratch.
I then enabled the following rulesets:
- abuse.ch/Feodo Tracker
- abuse.ch/SSL Fingerprint Blacklist
- abuse.ch/SSL IP Blacklist
- abuse.ch/ThreatFox
- abuse.ch/URLhaus
- ET open/drop
- ET open/dshield
- ET open/emerging-malware
- ET open/emerging-mobile_malware
I then went and created a first policy that I called "Disable all" which, as its name indicates, disables all rules ("Nothing Selected" everywhere and New Action = Disable).
I enabled it and applied and then went to check that all rules were in deed disabled.
Then I disabled that "Disable all" rule and created a new one called "Specific Ruleset all rules drop".
In the "Specific Ruleset all rules drop" I selected the following rulesets:
- abuse.ch/Feodo Tracker
- abuse.ch/SSL Fingerprint Blacklist
- abuse.ch/SSL IP Blacklist
- abuse.ch/ThreatFox
- abuse.ch/URLhaus
- ET open/drop
- ET open/dshield
I made sure that policy "Specific Rulesets all rules drop" was the only one enabled and clicked "Apply"
But then, when I go and check the rule list, the first thing I observe is that a lot of rules are enabled, but on alert (instead of drop).
Also I can see some (but not all) of the rules from the rulesets I did not select (ET open/emerging-malware and ET open/emerging-mobile_malware) are enabled and set to alert as well, when they should have remained disabled.
I initially created both policies with priority 0 (and as described above, I was making sure I only enable one at a time when I click "apply"), and then I tried them again by assigning different priorities to them (and still making sure only one is enable when I hit "apply"), but that did not make a difference.
I did not remember running in this problem back in OPNsense 22.x
Am I doing something wrong here? or could something have changed in OPNsense 23.x ?