We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor
2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Enable Unsolicited Messages"; dnp3_func:enable_unsolicited; classtype:protocol-command-decode; sid:2821687; rev:3; metadata:created_at 2016_08_15, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 46 2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled 2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dnp3 any any -> $HOME_NET any (msg:"ETPRO SCADA DNP3 Cold Restart"; dnp3_func:cold_restart; classtype:protocol-command-decode; sid:2821683; rev:5; metadata:created_at 2016_08_15, former_category SCADA, signature_severity Critical, updated_at 2021_02_17;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-scada.rules at line 45 2021-03-06T10:45:40 suricata[38260] [100489] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
HiCoud you provide more info please (alerts, rules parameters)?rules and errors from log are not related to policies and not from emerging-p2p ruleset imho
All the rules are set to "drop"
QuoteAll the rules are set to "drop"hm. if it set to drop it should drop?if you click "info" pencil for this rules, what "matched_policy" it shows for that rules?
I thought policy I created should be changing it from drop to alert
Quote I thought policy I created should be changing it from drop to alert yes it should but only if policy is actually applied to the rule.so I ask you to look at the matched_policy value for these rules.perhaps these rules are taken out of the policy (matched policy = __manual__) and they need to be returned from the manual state by deleting from Services: Intrusion Detection: Policy->Rule adjustments
one more thing: afaik all emerging-p2p.rules is Alert by default.you set your Policy to "get all emerging-p2p.rules with the default Drop action and set action to Alert". so imho there should be no rules under this policy (you can chack this by filtering rules by "matched_policy" in Services: Intrusion Detection: Administration: Rules)
like everything is correct and logical. to apply the policy, you need:1. Configure the policy so that its filters match the default rules settings (as they are specified in the source files). That is, your policy should indicate Action "Alert" or "Nothing Selected"2. Remove the corresponding rules from the _manual_. this can be done on the Services: Intrusion Detection: Policy: Rule adjustments tab.What I don't understand is why your manual rules are not listed in that tab.what opn version? please share a "rule details" screen of one of the p2p rules from Services: Intrusion Detection: Administration:Rules
Maybe as I have no manual rules?
QuoteMaybe as I have no manual rules?hm. maybe: looks like you have another policy ("Default filter") and this policy is successfully applied to p2p rules."New action" of this policy is Drop? what are the parameters of this policy?in any case, for the p2p policy, the "Action" filter value should be changed to Alert or Nothing
