Author Topic: Policy Suricata not working (Read 15388 times)

yeraycito · « **on:** January 29, 2021, 03:20:17 am »

Opnsense 21.1

yeraycito · « **Reply #1 on:** January 29, 2021, 03:37:07 am »

Clean install Opnsense. Rules: ET Telemetry

yeraycito · « **Reply #2 on:** January 29, 2021, 03:51:41 am »

Nothing works. In the Rulesets section which states that if nothing is selected it applies to everything does not work. And if you select everything it doesn't work either. There is no way to select the rules in blocking. It worked so well before blocking the categories of rules in the Download section, why do you change it?

mimugmail · « **Reply #3 on:** January 29, 2021, 07:54:43 am »

Do you have the Checkbox for IPS enabled?

yeraycito · « **Reply #4 on:** January 29, 2021, 03:07:45 pm »

Yes. If I activate the lock setting in the Policy tab according to the following screenshot it does not work.

yeraycito · « **Reply #5 on:** January 29, 2021, 04:03:43 pm »

I just tried another test with a different configuration and it still doesn't work.

yeraycito · « **Reply #6 on:** January 29, 2021, 04:05:17 pm »

More screens

yeraycito · « **Reply #7 on:** January 29, 2021, 04:21:19 pm »

One last test with another configuration. It still does not work. The rule shown in the image as DROP is manually activated.

yeraycito · « **Reply #8 on:** January 29, 2021, 04:22:15 pm »

More screens

yeraycito · « **Reply #9 on:** January 29, 2021, 04:22:59 pm »

Last image

Fright · « **Reply #10 on:** January 29, 2021, 04:45:49 pm »

can you set description to your policy and then go to "Rules" and filter rules with matched_policy\"your_policy"?

amichel · « **Reply #11 on:** January 30, 2021, 09:46:01 am »

Same here,
since the upgrade I see that the rules allow traffic instead of dropping it. I am using the same config as in 20.7 by implementing the "imported legacy import filter" Still no drops.
Maybe there is some configuration to be changed in the policy but the official documentation is not very helpful to be honest.
Is there a how to guide how to enable suricata so it drops packets by implementing the policies?

Filtering as per Policy shows nothing

amichel · « **Reply #12 on:** January 30, 2021, 11:10:26 am »

I went back to the original config before the upgrade.
Now with the legacy rule untouched I see the rules are configured to block traffic

Fright · « **Reply #13 on:** January 30, 2021, 11:57:17 am »

it seems that it may not be related to policies. also stopped blocking traffic on the test VM. deleted policies - not helped. turned off and on the checkboxes on the Settings tab (enabled, IPS, promisc) applying after each checkbox. IPS starts working after that.
may be some .yaml issue after update?

already completely blocked access to any remote management by including everything in the new policy and specifying the drop action

play carefully with policies

logandzwon · « **Reply #14 on:** January 30, 2021, 05:04:58 pm »

Yes, agreed. It’s totally unclear on how it is supposed to work. It worked so well before the update too.

Author Topic: Policy Suricata not working (Read 15388 times)

yeraycito

Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

mimugmail

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

yeraycito

Re: Policy Suricata not working

Fright

Re: Policy Suricata not working

amichel

Re: Policy Suricata not working

amichel

Re: Policy Suricata not working

Fright

Re: Policy Suricata not working

logandzwon

Re: Policy Suricata not working