Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata Policies not working as expected?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata Policies not working as expected? (Read 1514 times)
Styx13
Newbie
Posts: 39
Karma: 6
Suricata Policies not working as expected?
«
on:
February 23, 2023, 04:39:07 am »
Hello,
Running OPNSense 23.1.1_2 with Suricata enabled as IPS.
I wanted to update which rules are enabled and drop/alert and decided to cleanup all my policies, rule adjustments and enabled rulesets and start back from scratch.
I then enabled the following rulesets:
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
abuse.ch/ThreatFox
abuse.ch/URLhaus
ET open/drop
ET open/dshield
ET open/emerging-malware
ET open/emerging-mobile_malware
I then went and created a first policy that I called "Disable all" which, as its name indicates, disables all rules ("Nothing Selected" everywhere and New Action = Disable).
I enabled it and applied and then went to check that all rules were in deed disabled.
Then I disabled that "Disable all" rule and created a new one called "Specific Ruleset all rules drop".
In the "Specific Ruleset all rules drop" I selected the following rulesets:
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
abuse.ch/ThreatFox
abuse.ch/URLhaus
ET open/drop
ET open/dshield
Left all the other selection fields to "Nothing selected" and set New Action to "Drop". My goal being to go and enable all the rules for those selected rulesets and set the action to drop.
I made sure that policy "Specific Rulesets all rules drop" was the only one enabled and clicked "Apply"
But then, when I go and check the rule list, the first thing I observe is that a lot of rules are enabled, but on alert (instead of drop).
Also I can see some (but not all) of the rules from the rulesets I did not select (ET open/emerging-malware and ET open/emerging-mobile_malware) are enabled and set to alert as well, when they should have remained disabled.
I initially created both policies with priority 0 (and as described above, I was making sure I only enable one at a time when I click "apply"), and then I tried them again by assigning different priorities to them (and still making sure only one is enable when I hit "apply"), but that did not make a difference.
I did not remember running in this problem back in OPNsense 22.x
Am I doing something wrong here? or could something have changed in OPNsense 23.x ?
Logged
abulafia
Full Member
Posts: 156
Karma: 8
Re: Suricata Policies not working as expected?
«
Reply #1 on:
February 23, 2023, 04:38:10 pm »
For most of these, you shouldn't use Suricata at all but use firewall aliases and rules to block these IPs directly, as it is (said to be) a lot more performant.
In Suricata, only use the following:
abuse.ch/SSL Fingerprint Blacklist
Not sure if this is a rules or IP based list:
abuse.ch/ThreatFox
Logged
Styx13
Newbie
Posts: 39
Karma: 6
Re: Suricata Policies not working as expected?
«
Reply #2 on:
February 23, 2023, 06:35:50 pm »
Thank you for your suggestion, you are most likely correct.
However this does not address the main reason for my post: it seems policies are not working as expected, or I am doing something wrong.
I picked those rulesets mostly as examples to illustrate the issue and the way I was configuring it in case there's something wrong with the way I did it.
So I am still wondering if there is something going on with Policy management in OPNsense Intrusion Prevention?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata Policies not working as expected?