Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not working: Enable Drop Filter not visible
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS not working: Enable Drop Filter not visible (Read 5438 times)
zgtc
Newbie
Posts: 6
Karma: 0
IPS not working: Enable Drop Filter not visible
«
on:
April 10, 2021, 02:09:05 am »
Hi,
I am new to OPNsense, using OPNsense 21.1.4-amd64, and I think I have read all the relevant IPS documentation. Using the IDS, IPS, Promiscuous checks on, selected LAN interface.
The main problem is the Enable (Drop filter) is not shown, so all rules remain as Alert, which goes against the P in the IPS. See attach 1.
Also relevant, if I edit one ruleset, I no longer see the Input filter dropdown (thus, no way to select "Change all alerts to drop actions"). See attach 2.
To make this all even more bizarre, when disabling IDS/IPS and enabling them again (and re-enabling rules, then Apply), we found that:
- some tests are not even detected (i.e. test eicar.com.txt can be downloaded and nothing shows on Alerts tab). See attach 3. or
- something is detected and shown in the Alerts tab but... Accepted (i.e. "ET POLICY Dropbox.com Offsite File Backup in Use"). I don't have a screen capture of this right now.
Am I missing something very obvious? Thank you
Logged
zgtc
Newbie
Posts: 6
Karma: 0
Re: IPS not working: Enable Drop Filter not visible
«
Reply #1 on:
April 10, 2021, 02:11:45 am »
I just could capture the dropbox "alert"
Logged
Beowulf
Newbie
Posts: 4
Karma: 0
Re: IPS not working: Enable Drop Filter not visible
«
Reply #2 on:
April 11, 2021, 04:51:34 pm »
I am a newbie to OPNsense, too.
I can tell you that you get the eicar test done with a proxy and the antivirus plugin:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html
https://docs.opnsense.org/manual/how-tos/clamav.html?highlight=clamav
Logged
zgtc
Newbie
Posts: 6
Karma: 0
Re: IPS not working: Enable Drop Filter not visible
«
Reply #3 on:
April 22, 2021, 12:22:54 pm »
Hi, sorry I'm not sure how your message is related to my question/s. Thank you
Logged
kosta
Hero Member
Posts: 540
Karma: 2
Re: IPS not working: Enable Drop Filter not visible
«
Reply #4 on:
May 09, 2021, 12:00:02 am »
I have the same problem, missing those buttons in Download.
Did you solve the problem?
Logged
zgtc
Newbie
Posts: 6
Karma: 0
Re: IPS not working: Enable Drop Filter not visible
«
Reply #5 on:
May 09, 2021, 12:09:42 am »
nope, i switched to pfsense instead, that was a no-go
Logged
kosta
Hero Member
Posts: 540
Karma: 2
Re: IPS not working: Enable Drop Filter not visible
«
Reply #6 on:
May 09, 2021, 12:23:11 am »
Not the solution I was hoping to read. Thank you anyway.
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: IPS not working: Enable Drop Filter not visible
«
Reply #7 on:
May 09, 2021, 11:03:02 am »
As of 21.1 you can use policies to change rule behaviour (
https://docs.opnsense.org/manual/ips.html#policies
), to mimic the old behaviour just add a single policy rule matching the rulesets you want to drop and select "alert" as action (which is default for almost all supplied rules) and set "new action" to drop.
Old settings should have been migrated automatically.
The policy editor is available in the menu on the left (Services -> Intrusion detection -> Policy).
Best regards,
Ad
Logged
zgtc
Newbie
Posts: 6
Karma: 0
Re: IPS not working: Enable Drop Filter not visible
«
Reply #8 on:
May 09, 2021, 12:45:36 pm »
hi Ad,
not sure if you were referring to my first post, but this wasn't an upgrade or migration, those problems occurred during a clean install.
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: IPS not working: Enable Drop Filter not visible
«
Reply #9 on:
May 09, 2021, 01:58:50 pm »
About where to find the filters, it was indeed, we changed that in 21.1.
Why rules won't match can have different reasons, I would always start by checking if an alert is triggered and what suricata thinks it should do with it (the Alerts tab). The quickest test usually is to enable our test rule (opnsense ruleset) and download eicar over http (your curl command looks ok in that regard).
The rules tab represents the current settings after applying your changes (query for eicar to see if it's set to drop).
Best regards,
Ad
Logged
kosta
Hero Member
Posts: 540
Karma: 2
Re: IPS not working: Enable Drop Filter not visible
«
Reply #10 on:
May 09, 2021, 10:13:51 pm »
Thank you, that wasn't very intuitive, but it's working!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not working: Enable Drop Filter not visible