Simple IPS Policy Question for New User

Started by evanevery, December 25, 2024, 06:09:07 PM

Previous topic - Next topic
December 25, 2024, 06:09:07 PM Last Edit: December 25, 2024, 06:14:09 PM by evanevery
I've been networking since the early 80's (inc installation of the second DEC SEAL firewall on the Internet).  I'm moving from a Watchguard M370 to an Deciso DEC3842 router/firewall at my home.  I was pretty comfortable with the watchguard configuration but I currently find some of the OPNSense workflow a little confusing.  I'm sure this will all pass with time.  Anyway...

Searched this forum (lots of good info), but I have a simple question which I'm losing in the details...

- I chose several Rule Sets to download/enable for IPS, and
- Wrapped them in a single policy with "Action = Alert, Drop" -> "New Action = Alert"

I monitored the alerts for a while and now I want to "promote" a single rule set to "Drop" ("ET open/emerging scan")

Would it be best practice to remove that one ruleset from my "Alert" policy (priority 1) and then simply add it to a new "Drop" policy (priority 0)?  I'm also guessing that a "DROP" action will also "Alert", right?

- As an alternative I see I can also click on the "Configured Action" and change it (from Alert to Drop) from an "Alert Info" dialog, would that be a preferred method (rather than creating a second policy)?


AFAIK - Drop rules alert unless they have "noalert" in them

After that, I might not be the best one to ask about the Layers when it comes to the Drop feature, I merely figured out how to enable most and disable noisy by using the Layers and wrote a how-to on it:
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/

It does them in order, so 0 is first, 1 is second, and so on. Broad stroke changes with 0, Refined changes with 1, etc. If I am inaccurate here, please someone correct me!!
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA


you got it, just remove it from the main policy and put that ruleset in its own policy
Note, dont do individual rule changes unless necessary, policys are better
Individual changes will go back to default with a rule update
And it bogs down the system efficiency with to many
If you have many individual changes or want to add your own
Best would be to ssh into the system and pull the ruleset
Change it and put it back manually and click apply
Shouldnt have trouble with the default rules being dropped
But may have to alter some if enabling all rules

February 19, 2025, 02:40:31 PM #4 Last Edit: February 19, 2025, 02:42:55 PM by CarolyneKrajcik
Quote from: evanevery on December 25, 2024, 06:09:07 PMI've been networking since the early 80's (inc installation of the second DEC SEAL firewall on the Internet).  I'm moving from a Watchguard M370 to an Deciso DEC3842 router/firewall at my home.  I was pretty comfortable with the watchguard configuration but I currently find some of the OPNSense workflow a little confusing.  I'm sure this will all pass with time.  Anyway...

Searched this forum (lots of good info), but I have a simple question which I'm losing in the details...

- I chose several Rule Sets to download/enable for IPS, and
- Wrapped them in a single policy with "Action = Alert, Drop" -> "New Action = Alert"

I monitored the alerts for a while and now I want to "promote" a single rule set to "Drop" ("ET open/emerging scan")

Would it be best practice to remove that one ruleset from my "Alert" policy (priority 1) and then simply add it to a new "Drop" policy (priority 0)?  I'm also guessing that a "DROP" action will also "Alert", right?

- As an alternative I see I can also click on the "Configured Action" and change it (from Alert to Drop) from an "Alert Info" dialog, would that be a preferred method (rather than creating a second policy)?
geometry dash meltdown

Hi! I would like to give the following opinion that No, the "Drop" action in OPNsense will not automatically be recorded as an alert. The "Drop" action means ignore and there is no notification or recording of that action.

First what are you calling an alert, and what are you calling a drop. And why cant you find the notifications.
Admin alerts or log files.
Its all there. Do you need help?