Disabled IPS rule comes back to life again and again

chemlud · May 31, 2024, 12:39:07 PM

Hy!

On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.

At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.

Btw this happenz on TWO installs of OPNsense.

I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.

What is the way to disable this specific rule/rule set? It's spamming my alert email account.

chemlud · June 01, 2024, 11:20:48 PM

Maybe sign for dying SSD? Smart looked good recently, but after update to 24.1.8 the box did not come back. Remote re-install the hard way :-/

chemlud · June 15, 2024, 04:03:13 PM

SSD was new when installing OPNsense in March, so apparently not failing SSD. Today the IPS rule came back to life... Sigh...

Greg_E · June 17, 2024, 03:05:26 PM

Did you disable the rule or set it to allow? I would try the opposite of one of these to see what happens. Yes I know allow will still generate a message, but if it gets the function working is it better than not working?

franco · June 17, 2024, 03:12:59 PM

First make sure the config.xml stays correct. If so and the SID is back in the final ruleset it should be easy to report to GitHub with the necessary details.

Cheers,
Franco

Disabled IPS rule comes back to life again and again

chemlud

May 31, 2024, 12:39:07 PM Last Edit: May 31, 2024, 12:57:45 PM by chemlud

chemlud

June 01, 2024, 11:20:48 PM #1

chemlud

June 15, 2024, 04:03:13 PM #2

Greg_E

June 17, 2024, 03:05:26 PM #3

franco

June 17, 2024, 03:12:59 PM #4