Suricata policy - v7.0.3 ?

[Greg_E]

I'm doing something wrong... Is there a good guide on the policy part of Suricata, I think I'm missing something.

I'm getting alerts, but nothing is dropping. I do have IPS checked in the General tab, I've restarted the service a few times after making changes. The only thing I haven't checked is after the latest reboot, I forget to do this before putting laptop away, I'll check again after lunch.

In general, I'm having a much harder time with this than I did on pfsense, also seeing where some functions are going to be harder. Things like seeing a block, deciding it isn't really a threat, and adding it to a bypass list. This is a single click function.

Anyway, just kind of struggling with the differences between the two and not understanding what I'm doing wrong to get blocking working.

[cookiemonster]

I find it that it takes a little to get the gist of it. I don't know if this is the "right way" but how I have it.
Create a policy, then get the rulesets you want from the drop-down and then change the New Action to "drop".

[Greg_E]

I think part of it is that I'm not connected to the correct network that has ports forwarded to it. I'm only seeing things that it says are Priority 3 not suspicious which isn't getting blocked. I'm going to need to set up and attack this device to see what happens.

[Greg_E]

I have my test machine on a real live network and mostly things are working... But I still can't grasp how to set up these policies?

I have a bunch of stuff installed and on the main Administration page everything is set to Alert, doing this because it says dropping is better done by policies. So I tried to make my way through setting some policies, but I just don't find information on what each of the many drop downs really means, and where to see if things are really being dropped.

In the administration section, on the alerts tab, I see things that I thought should be blocked that are coming through as an alert. Things like port scan and web crawl I normally block, plus other attacks like SQL injection attempts.

I'm also not seeing where I can block a connection for  like 3 hours after one of these events. This was simple with in the old pfsense I was running, but I want to get away from pfsense. This Suricata stuff is hard to find information to program it on OPNsense.

I'm not seeing all the options explained anywhere, what do they do? I've flipped through the Suricata 7.0.3 manual and don't see this listed, I'll check it again in a little bit.

Ultimately I'll either figure it out or go through and drop back at the rulesets, even though the interface says this might impact performance. Either way I've done something wrong and having trouble finding the info I need to do this correctly. Did I miss a section in the official OPNsense documents? Anyone have some links to how to do this the right way? A step by step for dummies would be really nice.

[dot1x]

I have the same problem.

Policies just don't work as expected on my side.

Included all my installed Rules. Set them to drop.

Some are now dropping, some are not- like port scans and sql injection attempts etc. etc.

I gone so far that i changed the scan rules themself to drop. But guess what. They are still coming through.

I even click on the triggered alert, showed me action allowed. But down in the dropdown it says rule action is set "drop".

Like i don't understand it anymore.

[Greg_E]

I would reboot the firewall, sometimes Suricata gets "lost" and needs a reboot. At least that's what I've seen on pfsense and maybe on my new OPNsense.

I think I have every decent book written on OPNsense, and none of them have details about how this "new" policy based system is supposed to work. Most of these are based on v21.x.x which was before the policy stuff was introduced.

Oddly enough, there isn't a step by step in the Suricata user guide either. I haven't sat down and searched for each choice yet, and need to update my offline copy to do this. Most (all?) of the Suricata guide is terminal commands. I just haven't had time to sit down and concentrate on this topic, so far the drop/allow on the basic rules is doing what I want, and a bunch of stuff is getting caught by Zenarmor so I'm mostly back where I was a month ago with pfsense, I just don't want to continue with pfsense anymore. Thus starts the learning curve!

[dot1x]

I just restarted the firewall. It was still the same problem.

I tried messing around with the Policies. I did set it to disable and now my "emerging threat scan" rules work. Like i defined them in the rules tab with "drop".

I enabled the policy again, with the rule inside and it goes back to alert only. All other included rules in the policy go to drop.

So for now i take out the scan rule package from the policy and set them to manually drop. This works in my case.

[Greg_E]

I have my policies set to drop, but if the main rules is set to alert, all I get is alert. It seems to parse the rules first, do what it says and exit (first match). Mine never seems to get to the policy.

Obviously, more experiments are needed for me to figure this out.

[blacklistme]

Any Updates here?
Getting the policies to work is my last challenge in opensense so far...

[Greg_E]

I won't have time to fiddle with this until middle of May of into June when our semester is finished. Then I need to build my Business version and put it in service. It's high on my list of things to figure out since I know I'm not doing it correctly right now.

I also need to work with the larger campus IT department so I can put a laptop on the network feeding my firewall, and attack it at will to speed up the trial and error part of this fiddling. I may set it up offline with a test computer, haven't really decided how I'm going to attack it yet.

There is some info to follow in this post and the web page he links/runs that deserves more thought, might be a good place to start if you haven't already read this https://forum.opnsense.org/index.php?topic=38555.0