Load default rules in Intrusion Detection

Started by enoch85, June 05, 2016, 01:02:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 05, 2016, 01:02:04 AM
So, I played around with Intrusion Detection and enabled rules that I thought would be nice to have (DOS, Trojan, Scan Fedo Tracker), hit apply and now I can't browse until I turn Intrusion Detection off. Just removing "Enabled" didn't help as the rules are still enabled when I go to "Rules", something to improve imo.

Is there any way to load the "default rules" or delete all the current rules and start over? If I check rules I have >58000 entries and need to manually remove each one. I will be done when I'm 100 years old.

Also, are there any rules that you recommend? I run a ESXi server with some domains over SSL and I would really want some more security if possible.

Thanks!
June 05, 2016, 10:59:32 AM #1
Hi enoch85,

Did you apply your changes? (download & apply when changing complete rulesets, apply when changing specific rules)
Download / Apply should also remove the uninstalled sets.

Same comment on Github too: can you please only add issues on GitHub for missing features or if the outcome of the forum thread is that it is (looks like) a bug.
(for more info about creating issues, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md)

As for the recommended rules, the abuse.ch sets are pretty useful with very little false positives, I would start with those and test again. If all works, then add some of the ET rulesets, like malware, trojan.

Best regards,

Ad


June 05, 2016, 12:23:07 PM #2
Yes, the rules I applied was removed when I clicked "Download & Update Rules". Thanks!

After that I got the "default rules" left - 21 enteries that were enabled. I then clicked Enable --> Apply, and the same issue occured, I could browse but it was veery slow and most pages didn't work. So not even the "default rules" worked. Am I doing something wrong?

Btw, I'm on IRC.
June 05, 2016, 01:06:27 PM #3
It's probably an issue with netmap in combination with your network driver, which type of network card is configured in ESXi and do you have all hardware offloading features disabled?
June 06, 2016, 01:47:06 PM #4
I use VMNET3 for the Network, and this is how my config looks like in the firewall:

Print
Go Up Pages1
User actions