SOLVED: ET Open, IPS mode: why is the action for the compromised rule set Allow

[gctwnl]

I've moved from ET Telemetry Pro to ET Open and I have activated a set of rules.

I now see Alerts in IDS/IPS like this:

Code: [Select]

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 but the action is 'allowed'.

Why?

[gctwnl]

The answer is: you need to set a Policy.

(Not that it works yet, 'apply' never completes, but that is another issue. In theory it works.)

[nuke]

@gctwnl
Did you check the log?  I tried to add Threatfox but found that it didn't complete either.
The log shows:

Code: [Select]

Error suricata [100110] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"slotgamings.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1047040/; target:src_ip; metadata: confidence_level 50, first_seen 2022_12_14; classtype:trojan-activity; sid:9104704" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 70885
Error suricata [100110] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
So it would appear there is a missing ";" on the line.
I need to recheck the rule file.