Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
suricata: cannot edit action anymore
« previous
next »
Print
Pages: [
1
]
Author
Topic: suricata: cannot edit action anymore (Read 2866 times)
siga75
Full Member
Posts: 187
Karma: 11
suricata: cannot edit action anymore
«
on:
January 31, 2021, 03:13:17 pm »
wanted to change some pt.research rule from drop to alert, it's not possible anymore, both from the alert tab and the rules tab itself, the change is not taken
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
madj42
Jr. Member
Posts: 53
Karma: 3
Re: suricata: cannot edit action anymore
«
Reply #1 on:
January 31, 2021, 05:09:10 pm »
I can confirm this. I haven't had much time myself to look at logs. Have you been able to see if any of the system or suricata logs say anything?
Logged
andreaslink
Jr. Member
Posts: 58
Karma: 4
Re: suricata: cannot edit action anymore
«
Reply #2 on:
January 31, 2021, 05:24:57 pm »
I can second this as well.
I got some false positives (at least I hope they were false) on SID 2018375 "
ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set
", where I would see/test if it is making sense; so for testing I wanted to set this one from "Drop" to "Alert" only, the change is not saved. Even after applying and restart of service.
Logged
Running OPNsense on 4 core Intel Xeon E5506, 20GB RAM, 2x Broadcom NetXtreme II BCM5709, 4x Intel 82580
Ubench Single CPU: 307897 (0.39s)
tcpip
Newbie
Posts: 22
Karma: 3
Re: suricata: cannot edit action anymore
«
Reply #3 on:
February 01, 2021, 10:44:48 am »
I discovered this issue because some pt.research rules (11002816, 11003611) created false positives and I wanted to edit the rules. So, I can confirm the issue. For me this seems to only happen when using a policy which overwrites the action and then editing a rule to overrule the policy.
After excluding the pt.research rules from my policy to overwrite alerts with drops, there were no more alerts in the alerts tab. Even though the rules are set to alert by default. Very strange.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
suricata: cannot edit action anymore