Feature Request: Bulk change action "Alert/Drop" in IPS in a list of rules

[hutiucip]

Hello!

I would be very helpful to have the possibility to change at once the rule action from "Alert" to "Drop" and vice-versa an entire list of rules  in IPS. For now, there are two buttons below (on the down-left of) the rule list for 1) Disable selected and 2) Enable selected (see attached image), but changing from Alert to Drop action on rules in the list must be done on a one-by-one basis.

Thank you!

[AdSchellevis]

you can set a filter to change all alerts to drop for a complete ruleset, maybe that solves your issue? (it changes the rules upon download when used).
See download -> Edit rule -> "Input Filter"

[hutiucip]

Thank you!

It is done so, and it works as intended for abuse.ch and ET rules/ rulesets. But how would I manage bulk changes on Suricata rules? They are not in the downloadable rulesets, like abuse.ch or ET, and doesn't offer the possibility you mentioned. Also, how are suricata rules updated if they are not in the downloadable rulesets (download section)?

Or am I wrong? Is it a way for those I could't find yet?

[AdSchellevis]

To use that functionality, you do indeed need an url to download the files from. Which files are you missing? and what's their purpose?

[hutiucip]

As you can see in the attachment there are now 290 rules regarding different kind of purposes, from file filtering to exploits etc.

Now they are in default, I don't know yet which of them I will enable + drop, which I will enable but alert only, and which will be completely disabled, because I troubleshoot something else on IPS and I didn't have the time to reach this step, but I realized that at the moment I will get to that matter the bulk (multiple select) change would be of great help. Also, a clear "how-to" regarding those rules' download & update.

Thank you again very much!

[AdSchellevis]

The easiest thing todo would probably be to add those files to our normal download list, they are currently installed by the suricata package.
Adding a multiple selection to the gui is more work and might not be needed if you can change the default behaviour.

you can add a ticket here https://github.com/opnsense/core/issues for one of the features, I can spare some time to add the first feature probably, the second (multi select) is beyond my scope of available time at the moment.

[hutiucip]

Wonderful, thank you again (I hope I don't repeat myself too much thanking you, but you really deserve these thanks)!

I will add a ticket for bulk/ multiple selection if adding those files to the normal download list wouldn't be sufficient. But I bet it would be.

Adding a multiple selection to the gui is more work and might not be needed if you can change the default behaviour.

Regarding this, a multiple selection to the gui is already in place, together with "enable/disable selected" buttons on the down-left of the list. Maybe just another pair of buttons, on the down-right of the list, for "Change selected to Alert/ Drop" would be much easier to implement, and quicker. (see the first added attachment, of the topic itself)

Just my humble opinion!

[dcol]

I second this feature. Would be nice to change a search-selected list to drop/alert in the rules tab similar to the enable/disable feature. Right now the only way is on the download tab where you can change the drop/alert for a ruleset. And that feature is not labeled correctly. The two options are 'none' and 'change alerts to drops'. Should be changed to 'Set all as alert' and 'Set all as drop'. The way it is now it appears that the only option is to change to drop.