Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Drop Policy and directly set Rule to "Drop" not working.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Drop Policy and directly set Rule to "Drop" not working. (Read 861 times)
dot1x
Newbie
Posts: 3
Karma: 0
Drop Policy and directly set Rule to "Drop" not working.
«
on:
March 28, 2024, 03:45:09 pm »
Hey there.
I have a Problem in the IPS of OPNsense.
I did download and enable some rules and i see them all hitting in the alert tab. I also created a Policy including all downloaded rules to set them to drop.
When i now look at the alert tab, i see that requests get dropped. Like Network trojan and many other things.
But when it comes to the emerging threads scan category. Everything is allowed. I tried different NMAP scans, they all get detected but are allowed and not like i would like to have them on "drop".
So i thought something must be wrong or bugged with the policy. So i set all corresponding emerging thread scan rules to drop in the "rules" tab.
Restarted Suricata, restartet the firewall itself. But still, different rules not just scan just get allowed. How is this possible when i did set them to drop via policy and rule tab?
Thanks for any help
Logged
Greg_E
Full Member
Posts: 199
Karma: 11
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #1 on:
March 28, 2024, 06:32:26 pm »
After changing them, did you go back to the rules tab and hit apply? I'm guessing you did but thought I would ask.
Otherwise I'm not sure as you did everything else I would recommend. Something I really need to sit down and figure out and it might be a case of messing it up once, and the mess up stays on the machine so wipe the drive and start from a config backup (probably my next step for a couple of reasons).
Logged
blacklistme
Newbie
Posts: 5
Karma: 1
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #2 on:
May 15, 2024, 07:58:23 am »
I have exactly the same problem!
It tooks several attempts, till poilicies were working as intendet. And now, the configured action doesn´t do anything.
Long way to go for a properly working IDS...
Logged
chemlud
Hero Member
Posts: 2347
Karma: 104
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #3 on:
May 21, 2024, 11:04:50 am »
I disabled a specific rule (and set to alert...) some days ago on 2 different installs. Works for 1-2 days, then the rule is back in game and starts blocking my traffic and throws alerts. Happend on both machines. Annoying...
Is it the nightly rules update that ignores previous settings for specific rules?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
chemlud
Hero Member
Posts: 2347
Karma: 104
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #4 on:
May 23, 2024, 08:31:16 am »
Zombie rule came back to life again. Really a pain!
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
someone
Newbie
Posts: 22
Karma: 1
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #5 on:
June 08, 2024, 11:19:53 pm »
Hello
my the rules are enabled and applied and says alert
I set up a policy for all rules whether alert or drop to be dropped and applied them, but it allowed someone to ssh into my tcp port 443, a rule caught it, 2001984, but allowed it, where does "allowed" come from, says in suricata logs, I didnt see it as an option, and its not set up that way. Pulled up the rule and it said alert, changed that one rule to drop, its the only drop rule. All the other rules are to drop under rule policy. Even though they say alert. Anyone know how to fix this not dropping behavior. It was working as it caught 15 dns bad queries directed to a .biz server.It was running behind an ISP router in which they hyjacked and is now destroyed.They broke the firmware. MITM attack. But opnsense is running on its own now and has problems.
Logged
someone
Newbie
Posts: 22
Karma: 1
Re: Drop Policy and directly set Rule to "Drop" not working.
«
Reply #6 on:
June 26, 2024, 01:24:03 am »
I should update my reply
I reloaded opnsense, enabled and downloaded the suricata rules
Left them at default which is alert
Created policy to drop whether it is an alert or drop
It is working fine
It blocked a scan earlier today
Love that eve Json file for recording trouble
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Drop Policy and directly set Rule to "Drop" not working.