Using policy to change ruleset from drop to alert

[Taomyn]

I saw the warning that said

We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor

So I removed all my rules to start fresh with policies - I really wasn't using ID properly and everything was set to just alert, but now everything seems to be blocking.


I'm trying to set a ruleset from drop to alert but the policy has no effect and the traffic continues to be blocked and reported as such.


Oh and this is logged every time the service is started:

Code Select Expand


2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Enable Unsolicited Messages"; dnp3_func:enable_unsolicited; classtype:protocol-command-decode; sid:2821687; rev:3; metadata:created_at 2016_08_15, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 46
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Cold Restart"; dnp3_func:cold_restart; classtype:protocol-command-decode; sid:2821683; rev:5; metadata:created_at 2016_08_15, former_category SCADA, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 45
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled

[Fright]

Hi
Coud you provide more info please (alerts, rules parameters)?
rules and errors  from  log are not related to policies and not from emerging-p2p ruleset imho

[Taomyn]

Hi
Coud you provide more info please (alerts, rules parameters)?
rules and errors  from  log are not related to policies and not from emerging-p2p ruleset imho

All the rules are set to "drop", but I have filtered them with "P2P" to show the ones in question.

[Fright]

All the rules are set to "drop"

hm. if it set to drop it should drop?
if you click "info" pencil for this rules, what "matched_policy" it shows for that rules?

[Taomyn]

All the rules are set to "drop"

hm. if it set to drop it should drop?
if you click "info" pencil for this rules, what "matched_policy" it shows for that rules?

The problem is, the I thought policy I created should be changing it from drop to alert if I'm not supposed to be making rule changes as warned before.

[Fright]

I thought policy I created should be changing it from drop to alert

yes it should but only if policy is actually applied to the rule.
so I ask you to look at the matched_policy value for these rules.
perhaps these rules are taken out of the policy (matched policy = __manual__) and they need to be returned from the manual state by deleting from Services: Intrusion Detection: Policy->Rule adjustments

[Taomyn]

I thought policy I created should be changing it from drop to alert

yes it should but only if policy is actually applied to the rule.
so I ask you to look at the matched_policy value for these rules.
perhaps these rules are taken out of the policy (matched policy = __manual__) and they need to be returned from the manual state by deleting from Services: Intrusion Detection: Policy->Rule adjustments

The "Rule adjustments" section is empty

[Fright]

got it, thanks. so what  matched_policy it shows for this "drop" rules?

[Fright]

one more thing: afaik all emerging-p2p.rules is Alert by default.
you set your Policy to "get all emerging-p2p.rules with the default Drop action and set action to Alert". so imho there should be no rules under this policy (you can chack this by filtering rules by "matched_policy" in Services: Intrusion Detection: Administration: Rules)

[Taomyn]

one more thing: afaik all emerging-p2p.rules is Alert by default.
you set your Policy to "get all emerging-p2p.rules with the default Drop action and set action to Alert". so imho there should be no rules under this policy (you can chack this by filtering rules by "matched_policy" in Services: Intrusion Detection: Administration: Rules)

All of my rules are set to "drop", before I had to manually override these to make them all "alert".

[Fright]

like everything is correct and logical. to apply the policy, you need:
1. Configure the policy so that its filters match the default rules settings (as they are specified in the source files). That is, your policy should indicate Action "Alert" or "Nothing Selected"
2. Remove the corresponding rules from the _manual_. this can be done on the Services: Intrusion Detection: Policy: Rule adjustments tab.
What I don't understand is why your manual rules are not listed in that tab.
what opn version?
please share a "rule details" screen of one of the p2p rules from Services: Intrusion Detection: Administration:Rules

[Taomyn]

like everything is correct and logical. to apply the policy, you need:
1. Configure the policy so that its filters match the default rules settings (as they are specified in the source files). That is, your policy should indicate Action "Alert" or "Nothing Selected"
2. Remove the corresponding rules from the _manual_. this can be done on the Services: Intrusion Detection: Policy: Rule adjustments tab.
What I don't understand is why your manual rules are not listed in that tab.
what opn version?
please share a "rule details" screen of one of the p2p rules from Services: Intrusion Detection: Administration:Rules

Maybe as I have no manual rules?


I'm happy to flush all the Intrusion Detection settings back to factory default as I wasn't making full use of it anyway until now. I'll just make a note of what settings I have and the rulesets I was downloading, but you'd need to tell me how best to do that.

[Fright]

Maybe as I have no manual rules?

hm. maybe: looks like you have another policy ("Default filter") and this policy is successfully applied to p2p rules.
"New action" of this policy is Drop?  ;)
what are the parameters of this policy?

in any case, for the p2p policy, the "Action" filter value should be changed to Alert or Nothing

[Taomyn]

Maybe as I have no manual rules?

hm. maybe: looks like you have another policy ("Default filter") and this policy is successfully applied to p2p rules.
"New action" of this policy is Drop?  ;)
what are the parameters of this policy?

in any case, for the p2p policy, the "Action" filter value should be changed to Alert or Nothing

Should I delete the default filter?

[Fright]

imho changing the "Action" parameter (the third drop-down list from the top) to Alert + Drop will be enough. The policy has a lower priority value and will have to apply to p2p rules