Drop Policy and directly set Rule to "Drop" not working.

[dot1x]

Hey there.

I have a Problem in the IPS of OPNsense.

I did download and enable some rules and i see them all hitting in the alert tab. I also created a Policy including all downloaded rules to set them to drop.

When i now look at the alert tab, i see that requests get dropped. Like Network trojan and many other things.

But when it comes to the emerging threads scan category. Everything is allowed. I tried different NMAP scans, they all get detected but are allowed and not like i would like to have them on "drop".

So i thought something must be wrong or bugged with the policy. So i set all corresponding emerging thread scan rules to drop in the "rules" tab.

Restarted Suricata, restartet the firewall itself. But still, different rules not just scan just get allowed. How is this possible when i did set them to drop via policy and rule tab?

Thanks for any help :)

[Greg_E]

After changing them, did you go back to the rules tab and hit apply? I'm guessing you did but thought I would ask.

Otherwise I'm not sure as you did everything else I would recommend. Something I really need to sit down and figure out and it might be a case of messing it up once, and the mess up stays on the machine so wipe the drive and start from a config backup (probably my next step for a couple of reasons).

[blacklistme]

I have exactly the same problem!
It tooks several attempts, till poilicies were working as intendet. And now, the configured action doesn´t do anything.

Long way to go for a properly working IDS...

[chemlud]

I disabled a specific rule (and set to alert...) some days ago on 2 different installs. Works for 1-2 days, then the rule is back in game and starts blocking my traffic and throws alerts. Happend on both machines. Annoying...

Is it the nightly rules update that ignores previous settings for specific rules?

[chemlud]

Zombie rule came back to life again. Really a pain!

[someone]

Hello
my the rules are enabled and applied and says alert
I set up a policy for all rules whether alert or drop to be dropped and applied them, but it allowed someone to ssh into my tcp port 443, a rule caught it, 2001984, but allowed it, where does "allowed" come from, says in suricata logs, I didnt see it as an option, and its not set up that way. Pulled up the rule and it said alert, changed that one rule to drop, its the only drop rule. All the other rules are to drop under rule policy. Even though they say alert. Anyone know how to fix this not dropping behavior. It was working as it caught 15 dns bad queries directed to a .biz server.It was running behind an ISP router in which they hyjacked and is now destroyed.They broke the firmware. MITM attack. But opnsense is running on its own now and has problems.

[someone]

I should update my reply
I reloaded opnsense, enabled and downloaded the suricata rules
Left them at default which is alert
Created policy to drop whether it is an alert or drop
It is working fine
It blocked a scan earlier today
Love that eve Json file for recording trouble

[haultalented]

slice master

I should update my reply
I reloaded opnsense, enabled and downloaded the suricata rules
Left them at default which is alert
Created policy to drop whether it is an alert or drop
It is working fine
It blocked a scan earlier today
Love that eve Json file for recording trouble

Thanks for responding back with a solution to this problem, someone.

[SCabnavari23]

Hello [span style="text-decoration: none;"]Exion[/span]

my the rules are enabled and applied and says alert
I set up a policy for all rules whether alert or drop to be dropped and applied them, but it allowed someone to ssh into my tcp port 443, a rule caught it, 2001984, but allowed it, where does "allowed" come from, says in suricata logs, I didnt see it as an option, and its not set up that way. Pulled up the rule and it said alert, changed that one rule to drop, its the only drop rule. All the other rules are to drop under rule policy. Even though they say alert. Anyone know how to fix this not dropping behavior. It was working as it caught 15 dns bad queries directed to a .biz server.It was running behind an ISP router in which they hyjacked and is now destroyed.They broke the firmware. MITM attack. But opnsense is running on its own now and has problems.

I have the same issue. please help me

[someone]

When it says allowed, you could be in IDS mode, not in IPS mode. If it alerts in IPS mode and says allowed, that rule is just set to alert, therefore it allows it. To block it must be set to drop.

[someone]

You have to set up opnsense correctly
Enter your IP static or DHCP correctly
The firewall rules should already be setup normally, nothing to do there
Set up Intrusion detection correctly, enter your IP there if your DHCP
Set up IPS, enable it, and download the rules, enable them
Set up unbound, enter your DNS servers you want in system settings
And in unbound
Turn off NTP servers in NTP except first one, click do not use on three of them
Set up logging, system, unbound, IPS, NTP
Watch your unbound log to see that opnsense uses your DNS settings
Check your browser settings
If in firefox turn off shortcuts, its a beacon
click https mode only
Turn off their DNS servers
Turn off their installing programs in your system
If you set this up right, you will not get that trouble, like I did
If you are behind a router, reset your router often
If your ISP lets you run your own router, I removed mine and use opnsense
I would learn how to get it setup and working well before I removed the ISP router
Ask for help when needed
Hope this helps

[opticiandug]

You have to set up opnsense correctly
Enter your IP static or DHCP correctly
The firewall rules should already be setup normally, nothing to do there
Set up Intrusion detection correctly, enter your IP there if your DHCP
Set up IPS, enable it, and download the rules, enable them
Set up unbound, enter your DNS servers you want in system settings
And in unbound Geometry Dash
Turn off NTP servers in NTP except first one, click do not use on three of them
Set up logging, system, unbound, IPS, NTP
Watch your unbound log to see that opnsense uses your DNS settings
Check your browser settings
If in firefox turn off shortcuts, its a beacon
click https mode only
Turn off their DNS servers
Turn off their installing programs in your system
If you set this up right, you will not get that trouble, like I did
If you are behind a router, reset your router often
If your ISP lets you run your own router, I removed mine and use opnsense
I would learn how to get it setup and working well before I removed the ISP router
Ask for help when needed
Hope this helps

Same issue. This is exactly what I was looking for!

[someone]

one other thing to mention, are you reading it correctly? It can say alert, but,
what does the "action" say. It should say alert or drop depending on what you set it to.
You can have alert and drop in the same instance in the log file.
But under alerts in Administration it should say drop

[someone]

chemlud
Yes a rule update will reset your individual changes

[someone]

I havnt mentioned in this post "time"
After you click apply once in the rules, wait ten minutes before clicking it again.
Only click it a maximum of three times, then wait six hours to click again
Why, you just told it to rewrite 50,000 rules three times, stored in RAM
For a total of 150,000 writes in two databases making 300,000 writes total
And I believe it runs as background so its a little slow
It is activated, I think maybe running in RAM before its written
I can see my RAM usage go up every time I click apply
But if you click apply to much and to fast,suricata will self destruct
Im thinking it runs out of RAM space, feel free to correct me