I am thoroughly confused about Intrusion Prevention and Action=Drop vs. Alert

Started by Retired Miner, December 26, 2023, 03:56:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 26, 2023, 03:56:02 AM
Main question: What purpose does the setting enable "IPS Mode" serve when all rules (that I am able to download) default to alert?

And, to add to my confusion:

  • If I change (via a policy) some rules to have action = drop (per here), do I also need IPS mode to be enabled? Or will the drop also occur in IDS mode? I can't test any of this and I cannot find a clear answer in the documents.
  • Does IPS mode somehow override all "drop" actions and make them "block"? 

  • Is there a precedence, IPS mode over Action = Block?
Some background (call it my 'dumb user' use case):
I followed the instructions at 25:16 to 29:25 in this video. I understand that things have changed since Oct 2020. Specifically the "Enable (drop filter)" button is no longer present where you download rules, replaced with a menu entry for Policy where you can set a policy affecting any number of rules, all of which is good because it seems to give much greater granularity. 

However, for every rule I can get -- all the base rules plus the etpro-telemetry via the plugin + a free token -- all 113,685 of them, are created with action = alert. None (as in zero) get created with action = block. Is this correct? If it is correct, and if IPS mode does not override any action = alert, then ... I'm very confused how everything (rules, newly downloaded rules, and ISP mode) is intended to work together.
December 26, 2023, 11:17:57 AM #1
1. To block (drop) somethins, suricata should be in IPS mode.
2. No
3. Enabling IPS mode makes it possible to drop traffic inline.
Quoteget created with action = block. Is this correct?
yep.
Quotehow everything (rules, newly downloaded rules, and ISP mode) is intended to work together.
you can monitor alerts and decide what type of traffic (based on what rules) you want to drop.
then you can create policy (preferred) and adjust rules to achieve this
December 26, 2023, 04:48:51 PM #2
I'm old and slow on some of these points.  Let me ask again:

When Intrusion Detection Enabled and IPS mode=Disabled:
1. What does a rule with Action = Drop do?

When Intrusion Detection Enabled and IPS mode=Enabled:
2. What does a rule with Action = Alert do?
3. What does a rule with Action = Drop do?

Extra credit:
4. Is there a way (an easy way) to test any of these cases?  I already have done the eicar test file with the eicar test rule.

December 26, 2023, 05:46:05 PM #3
1. Alerts
2. Alerts
3. Drops
;)
4. I would enable OPNsense-App-detect/mail ruleset. Then Disable IPS mode, then enable rules with SID 54000009 and 54000012. Hit Apply.
Wait..
then nslookup opnsense for 'outlook.live.com.'.
there should be alerts in Services: Intrusion Detection: Administration - Alerts. and the name should be resolved  successfuly.
Then switch rules to Drop, hit Apply.
Wait..
there should be alerts in Services: Intrusion Detection: Administration - Alerts. and the name should be resolved  successfuly.
Then enable IPS mode, hit Apply
Wait..
there should be alerts (with drop action) in Services: Intrusion Detection: Administration-Alerts. and nslookup shoud timeout.

The main part of all of this - Wait..   ;)

Suricata takes time to reload
December 26, 2023, 08:03:03 PM #4
Quote from: Fright on December 26, 2023, 05:46:05 PM
1. Alerts
2. Alerts
3. Drops
Thanks.

I now see where this is stated in the documentation, here, this statement for ISP Mode:
QuoteWhen enabled, the system can drop suspicious packets. In order for this to work, your network card needs to support netmap. The action for a rule needs to be "drop" in order to discard the packet, this can be configured per rule or ruleset (using an input filter).

That all rule sets and rules download with Alert, none with Drop, it what was confusing.
Print
Go Up Pages1
User actions