Hitting 'Apply' on IDS Policy never(?) completes

Started by gctwnl, April 21, 2023, 06:27:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 21, 2023, 06:27:23 PM
To make sure the rules I have selected actually drop the traffic, I need to create a Policy that actually changes the default 'alert' on those rules to 'drop'.

So, I created such a rule, but when I clicked 'Apply' for the first time, it was not done after 30 minutes.

CPU usage is low, so what is it doing? Memory usage is high.

This one (a big one on almost all my rulesets) never finished:
Code Select
# cat/usr/local/etc/suricata/rule-policies.config
[843a267bc7314362b09a08d4a25a9f51]
enabled=1
prio=0
rulesets=abuse.ch.feodotracker.rules,abuse.ch.sslblacklist.rules,abuse.ch.sslipblacklist.rules,abuse.ch.threatfox.rules,abuse.ch.urlhaus.rules,botcc.rules,ciarmy.rules,compromised.rules,drop.rules,dshield.rules,emerging-malware.rules,emerging-mobile_malware.rules,emerging-phishing.rules,emerging-web_client.rules,emerging-web_server.rules,opnsense.test.rules
content=
action=drop
__target_action__=drop
__policy_id__=843a267b-c731-4362-b09a-08d4a25a9f51
__policy_description__=Drop everything on these sets

What should I do to get my rulesets to actually block instead of just alert?
April 22, 2023, 12:54:02 PM #1
This happened when I load abuse.ch ThreatFox. It does not happen with my current set which excludes ThreatFox
Print
Go Up Pages1
User actions