16
17.7 Legacy Series / Intrusion Detection - Enabling/Disabling Rules
« on: October 31, 2017, 01:39:48 am »
Good afternoon,
I'm in the market to purchase some hardware to install a firewall such as OPNsense. I've spent several hours over the past few days messing with pfSense, OPNsense and SophosXG on VirtualBox to see which one I'd like to go with. So far I'm leaning towards OPNsense based on a number of different reasons but one thing I'm trying to understand is the Intrusion Detection. I've set it up the Intrusion Detection and downloaded/enabled the 'OPNsense/test rules' to make sure it works when I access http://www.eicar.org/download/eicar.com.txt and sure enough, I see it in the Alerts (this test method is great by the way and is probably worth adding into the User Guide... only discovered it by searching/reading the forums). After that, I started downloading/enabling several other ET open rules as well but when I view the 'Rules' tab, I'm a bit confused as to how each rule becomes enabled/disabled. I assumed that if I enabled the entire rule set from the 'Download' tab (i.e. ET open/malware), that it would enable all of the corresponding rules associated with it in the 'Rules' tab. However, I've noticed when I disable certain rule sets, the corresponding rules are still enabled. The opposite is true as well where I enable a rule set but the specific rules are not enabled. Hopefully that makes sense but I'm just wondering what I'm missing here...
Edit: As an example, I selected all of the rule sets under 'Download' and click 'Disable selected'. All of them are showing as being disabled (X under every rule set in the Enabled column). However, under the 'Rules' tab, I'm still seeing specific rules enabled (box is checked in the Info/Enabled column) and I'm seeing new alerts show up. Pictures attached.
Second question while I'm on this topic - One thing I liked about pfSense was the ability to suppress or disable the rule from the Alerts view. Is there any way to do this in OPNsense? When I click the info button, the only option I see that is close to what I'm trying to do is the 'Alert action/sid' drop down box that only lets me switch between Alert and Drop.
Anyways, thanks for everyone that is a part of this OPNsense platform and the work you've put in. It's definitely looking like the platform I'm going to end up going with.
I'm in the market to purchase some hardware to install a firewall such as OPNsense. I've spent several hours over the past few days messing with pfSense, OPNsense and SophosXG on VirtualBox to see which one I'd like to go with. So far I'm leaning towards OPNsense based on a number of different reasons but one thing I'm trying to understand is the Intrusion Detection. I've set it up the Intrusion Detection and downloaded/enabled the 'OPNsense/test rules' to make sure it works when I access http://www.eicar.org/download/eicar.com.txt and sure enough, I see it in the Alerts (this test method is great by the way and is probably worth adding into the User Guide... only discovered it by searching/reading the forums). After that, I started downloading/enabling several other ET open rules as well but when I view the 'Rules' tab, I'm a bit confused as to how each rule becomes enabled/disabled. I assumed that if I enabled the entire rule set from the 'Download' tab (i.e. ET open/malware), that it would enable all of the corresponding rules associated with it in the 'Rules' tab. However, I've noticed when I disable certain rule sets, the corresponding rules are still enabled. The opposite is true as well where I enable a rule set but the specific rules are not enabled. Hopefully that makes sense but I'm just wondering what I'm missing here...
Edit: As an example, I selected all of the rule sets under 'Download' and click 'Disable selected'. All of them are showing as being disabled (X under every rule set in the Enabled column). However, under the 'Rules' tab, I'm still seeing specific rules enabled (box is checked in the Info/Enabled column) and I'm seeing new alerts show up. Pictures attached.
Second question while I'm on this topic - One thing I liked about pfSense was the ability to suppress or disable the rule from the Alerts view. Is there any way to do this in OPNsense? When I click the info button, the only option I see that is close to what I'm trying to do is the 'Alert action/sid' drop down box that only lets me switch between Alert and Drop.
Anyways, thanks for everyone that is a part of this OPNsense platform and the work you've put in. It's definitely looking like the platform I'm going to end up going with.