[SOLVED] Many confusing elements of configuring IDS/IPS (Suricata)

[gctwnl]

I keep getting this when trying to save my Suricata download set in Administration. Even deselecting everything and trying to save gets me this. Download & Update rules doesn't help.

I can start suricata, but it says 'no rules are loaded' so it is now completely nonfunctional.

Help?

OPNsense 22.10.2 (Deciso)

Log shows error:

Code: [Select]

2023-04-21T14:42:01 Warning suricata [100410] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 2 rule files specified, but no rules were loaded!

[gctwnl]

[Removed, it was a red herring]

[gctwnl]

Forget it. I have deinstalled and reinstalled the ET Telemetry version and I no longer have this error, but still the frontend Save button for Downloads refuses to work.

Kind of pissed now about losing 7 hours with an OPNsense frontend that suddenly for some unknown reason when I was changing the IDS config has stopped working. I'd like a 'total reset' option for my suricata config. CLI is fine.

It seems OPNsense can get i a state where its frontend UI stops working and als stops creating a usable Suricata config because the 'Save' button won't work. And it seems that state for the UI is permanent and survives whatever you install/deinstall as plugins.

[gctwnl]

Remove ET Telemetry Pro and installed ET Open. That one works. The frontend is also different, there is no Save button (for now, who knows what happens when OPNsense gets hosed again here too). Simply update the rules.

[cookiemonster]

If I remember correctly the order is 1. select & enable the ruleset(s) 2. Save button 3. Download and update rules.
If ETP Pro is to be used, there is the addtional steps of registration, etc.
That gives you the collections of rules available, and you can move to select them in the policies you have to create. You can use the rules tab but is better to use policies to group them.
I've never seen the Save button disappear. I don't know what might be happening there.

[gctwnl]

The Save button does not disappear. What happened is that it was available but when you clicked it it said "Download and Update" first (short time visible message). But if you then Download and Update, this stays.

The result was that I had no rules whatsoever.

But I am starting to suspect that I am misinterpreting the GUI. Save = 'save config", the Download & Update is the next step (to populate). Intuitively (or my intuition at least), the Save button would come at the end (which it normally does). As I did not see any actual rules (and Suricata complained), I concluded Save was failing.

Tomorrow I'm going to retry with ET Telemetry again. ET Open is working, but that one doesn't have a 'Save' button, only the "Download & Update".

[gctwnl]

I got ET Open working. I have returned to ET Telemetry and everything is now working. A summary of the things that confused me:

• ET Telemetry comes with empty rule sets for botcc, dhsield, drop, ciarmy, compromised. You need to add an additional ET Open set (specifically for ET Telemetry) in System/Firmware/Plugins. My guess is there are SID conflicts between ET Telemetry and ET Open and hence you need an 'ET Telemetry safe' ET Open set, but that is a guess.
• When using ET Telemetry there is a 'Save' button and a 'Download & Update' button. If you change the enabled set, pressing Save gives a short living warning about having to Download & Update. Normally in UX (also in most parts of OPNsense, 'Save' is the final action if you change something, but here it is not the case. Also, a warning on Save generally means in UX that the Save has not proceeded. In combination with the previous point (empty sets) this gave the impression that 'Save' did not work. The UX here is: You Save your selection and with Download & Update you 'execute' that selection (which is a real 'save' too as this is when the rules actually change). So, I tried to get to a point where 'Save' would not give the warning, but it constantly did and Suricata also warned 'there were no rules'.
  (Note: ET Open does not have that 'Save' button. Probably a good solution would be to use 'Set Token' for the token and 'Apply' for the rest (as it is elsewhere in the UI))
  
• A Policy is needed to change the default 'Alert' that is in almost all downloaded rulesets to 'Block'. Two things are confusing here. In Settings, when you turn on IPS, you may expect to go from 'inform me' to 'really block'.
• Trying the aubse.ch ThreatFox ruleset doesn't work together with setting a Policy. The Policy 'Apply' button gets a 'working' state and never finishes, not even after many hours.

So, the three things mixed here: ET Telemetry comes with a bunch of empty rule sets, turning IPS on doesn't block anything until you change 'alert' to 'block' in a Policy/Policies, and 'Save' is not (as it n romally is' the definitive action to get something working.