Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Disabled IPS rule comes back to life again and again
« previous
next »
Print
Pages: [
1
]
Author
Topic: Disabled IPS rule comes back to life again and again (Read 597 times)
chemlud
Hero Member
Posts: 2481
Karma: 112
Disabled IPS rule comes back to life again and again
«
on:
May 31, 2024, 12:39:07 pm »
Hy!
On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.
At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.
Btw this happenz on TWO installs of OPNsense.
I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.
What is the way to disable this specific rule/rule set? It's spamming my alert email account.
«
Last Edit: May 31, 2024, 12:57:45 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
chemlud
Hero Member
Posts: 2481
Karma: 112
Re: Disabled IPS rule comes back to life again and again
«
Reply #1 on:
June 01, 2024, 11:20:48 pm »
Maybe sign for dying SSD? Smart looked good recently, but after update to 24.1.8 the box did not come back. Remote re-install the hard way :-/
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
chemlud
Hero Member
Posts: 2481
Karma: 112
Re: Disabled IPS rule comes back to life again and again
«
Reply #2 on:
June 15, 2024, 04:03:13 pm »
SSD was new when installing OPNsense in March, so apparently not failing SSD. Today the IPS rule came back to life... Sigh...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: Disabled IPS rule comes back to life again and again
«
Reply #3 on:
June 17, 2024, 03:05:26 pm »
Did you disable the rule or set it to allow? I would try the opposite of one of these to see what happens. Yes I know allow will still generate a message, but if it gets the function working is it better than not working?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Disabled IPS rule comes back to life again and again
«
Reply #4 on:
June 17, 2024, 03:12:59 pm »
First make sure the config.xml stays correct. If so and the SID is back in the final ruleset it should be easy to report to GitHub with the necessary details.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Disabled IPS rule comes back to life again and again
