IPS Rules empty

anthael · August 17, 2021, 11:02:43 AM

Hi
Since the new version 21.7 is deployed, I have notices issues running surricata.
I have spot the following issues unless the alert tab is correctly filled up:

- the rule list is empty but the rules are working but it makes me impossible to add a rule to ignore a specific rule
ie https://x.x.x.x/ui/ids#rules ( i have tried to select all the filters possible )

- the rules always sets to alert and no blocking ( i guess the problem came with new config )

My basic config here is

Version
OpnSense : 21.7.1
Architecture : amd64
Type : Community

Module installed
- os-intrusion-detection-content-pt-open 1.0_1
- os-intrusion-detection-content-snort-vrt 1.1_1
- os-etpro-telemetry 1.5

Module activated
- snort_vrt.oinkcode
- et_telemetry.token ( registered )

Config applied
- IPS mode
- Prosmicuity mode
- Pattern matcher : hyperscan
- Interfaces : all

franco · August 17, 2021, 03:46:21 PM

It's caused by faulty data in pt-open rules.

Cheers,
Franco

Fright · August 17, 2021, 05:49:00 PM

Hi
can you add screenshots of enabled rulesets in "download" tab and Rules tab?
if "PT Research ruleset" enabled then I agree with @franco - the matter is in incorrect metadata of the PT-research rules (https://github.com/opnsense/core/commit/3f73088673973676a4f8d42c1da0134d9c6ac82f should help)

IPS Rules empty

anthael

August 17, 2021, 11:02:43 AM

franco

August 17, 2021, 03:46:21 PM #1

Fright

August 17, 2021, 05:49:00 PM #2