Policy Suricata not working

Started by yeraycito, January 29, 2021, 03:20:17 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
January 29, 2021, 03:20:17 AM
Opnsense 21.1
January 29, 2021, 03:37:07 AM #1
Clean install Opnsense. Rules: ET Telemetry
January 29, 2021, 03:51:41 AM #2
Nothing works. In the Rulesets section which states that if nothing is selected it applies to everything does not work. And if you select everything it doesn't work either. There is no way to select the rules in blocking. It worked so well before blocking the categories of rules in the Download section, why do you change it?
January 29, 2021, 07:54:43 AM #3
Do you have the Checkbox for IPS enabled?
January 29, 2021, 03:07:45 PM #4
Yes. If I activate the lock setting in the Policy tab according to the following screenshot it does not work.
January 29, 2021, 04:03:43 PM #5
I just tried another test with a different configuration and it still doesn't work.
January 29, 2021, 04:05:17 PM #6
More screens
January 29, 2021, 04:21:19 PM #7
One last test with another configuration. It still does not work. The rule shown in the image as DROP is manually activated.
January 29, 2021, 04:22:15 PM #8
More screens
January 29, 2021, 04:22:59 PM #9
Last image
January 29, 2021, 04:45:49 PM #10
can you set description to your policy and then go to "Rules" and filter rules with matched_policy\"your_policy"?
January 30, 2021, 09:46:01 AM #11 Last Edit: January 30, 2021, 10:44:58 AM by amichel
Same here,
since the upgrade I see that the rules allow traffic instead of dropping it. I am using the same config as in 20.7 by implementing the "imported legacy import filter" Still no drops.
Maybe there is some configuration to be changed in the policy but the official documentation is not very helpful to be honest.
Is there a how to guide how to enable suricata so it drops packets by implementing the policies?

Filtering as per Policy shows nothing
January 30, 2021, 11:10:26 AM #12
I went back to the original config before the upgrade.
Now with the legacy rule untouched I see the rules are configured to block traffic
January 30, 2021, 11:57:17 AM #13 Last Edit: January 30, 2021, 11:59:37 AM by Fright
it seems that it may not be related to policies. also stopped blocking traffic on the test VM. deleted policies - not helped. turned off and on the checkboxes on the Settings tab (enabled, IPS, promisc) applying after each checkbox. IPS starts working after that.
may be some .yaml issue after update?

already completely blocked access to any remote management by including everything in the new policy and specifying the drop action  8)
play carefully with policies  ;D


January 30, 2021, 05:04:58 PM #14 Last Edit: January 30, 2021, 07:36:35 PM by logandzwon
Yes, agreed. It's totally unclear on how it is supposed to work. It worked so well before the update too.
Print
Go Up Pages1 2 3
User actions