Policy vs Single rules

Started by Kieeps, February 18, 2021, 09:18:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2021, 09:18:01 AM
I'w recently enabled IPS on my firewall, wanted to wait untill everything else was set up so i could put all my focus on IPS for a while, And of course i got some stuff in the log that i dont really care about so i disabled them.

Now i get a message at the top of the page saying:
QuoteWe strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor

What is this anyway? is it bad practice to disable single rules?
February 18, 2021, 10:52:37 AM #1
imho this is still advice and not a requirement. the less you use individual rule management the better. but exceptions (lack of metadata, inapplicable rule etc.) are still possible and acceptable
May 14, 2021, 09:19:50 PM #2 Last Edit: May 15, 2021, 01:12:53 AM by Cangooroo7993
I desperately want to switch to policies from rules, but the UI tortures me.
I have too many active rules (~24000) and deleting them from the UI is nearly impossible.
I have even written a JavaScript script that deletes them based on UI data, but it works slowly as well (the server is the bottleneck). It will take eons to finish.
Is there any good way to reset the IDS rules and start from scratch?

Also, I fail to understand the difference between the old "Rules" tab and the new "Rules adjustments" tab.
They look similar, but they don't contain the same amount to entries.
So, I am completely lost here. Probably some UX touches are needed there.

UPDATE:
Hm...
Maybe editing the SQLite DB here might do it:
/usr/local/etc/suricata/rules/rules.sqlite
Or it might just destroy my firewall... :\
It seems to contain the rules though... The Administration section rules, not the Policy ones...
May 15, 2021, 08:26:12 PM #3 Last Edit: June 11, 2021, 10:23:12 PM by Cangooroo7993
OK.
My script worked eventually, after some hours of waiting...

Code Select

var d = $.Deferred(), prom = d.promise(), times = 0;
d.resolve();
$('#rules tr[data-row-id]').each((i, r) => {
   if(times < 0) return;
   prom = prom.then(function() { return $.post('/api/ids/settings/delPolicyRule/' + $(r).attr('data-row-id')).promise(); } );
   times++;
   if(times > 100000) { times = -1; prom = prom.then($.post('/api/ids/service/reconfigure').promise()); return; }
});
prom = prom.then(function() { return $.post('/api/ids/service/reconfigure').promise(); });


You need to :

  • Go to this URL : /ui/ids/policy#rules
  • Select to show ALL rule adjustments
  • Open the dev tools console in the browser, go to the console tab, paste it in and hit Enter
  • Monitor the requests in the Network tab to see when it will finish. It can take several hours if you have many rule adjustments.

Eventually, it will delete everything and then you can start all over....
Now, I went from 24000 rules adjustments to only 3!
August 10, 2021, 05:12:58 PM #4
Could someone explain how policies are different from just enabling drop rules? I would think the granularity of the rules would be better, so you do not capture packets that are actually good? Am I reading this wrong?
August 15, 2021, 04:57:38 PM #5
@spetrillo
imho it is just more convenient for those cases when the rules can be combined according to some criteria. makes it possible not to overload the config with separate rules
Print
Go Up Pages1
User actions