Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPS policy matching by classtype #4695

Closed
mnaiman opened this issue Feb 10, 2021 · 4 comments
Closed

IPS policy matching by classtype #4695

mnaiman opened this issue Feb 10, 2021 · 4 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
21.7

Comments

@mnaiman
Copy link

mnaiman commented Feb 10, 2021

Describe the bug

On 21.1 When I create policy to match rules Im able to match them using rulesets, severity and other items and when I look to rules matched_policy\name they are there.

When I try to do same but match by classtype (any classtype) matched_policy\name is always empty

image

image

There are definitely rules to be matched.
@mnaiman
Copy link
Author

mnaiman commented Feb 10, 2021
edited

Ok I think I found problem.

This is generated rules-policies.config

[899f34deb7874e03aacd47fa3abc2309]
enabled=1
prio=30
content=classtype.policy-violation
action=alert,drop
target_action=disable
policy_id=899f34de-b787-4e03-aacd-47fa3abc2309
policy_description=Disable nag alerts

But here https://suricata.readthedocs.io/en/latest/rules/meta.html#classtype is written that correct syntax is classtype:trojan-activity

When I changed
content=classtype.policy-violation
to
content=classtype:policy-violation

It loaded all rules by this classtype.

@mnaiman
Copy link
Author

mnaiman commented Feb 10, 2021

Using semicolon syntax it loaded more rules even other classtypes :/
At least it loads something, but not very predictable.

eg.

image

@AdSchellevis AdSchellevis self-assigned this Feb 11, 2021
@AdSchellevis AdSchellevis added the bug Production bug label Feb 11, 2021
@AdSchellevis
Copy link
Member

first upgrade to 21.1.1 and then b465a41 should be applied (using opnsense-update b465a41). it's specifically an issue with "category" since it's not a metadata field (former_category is, but not always supplied by Proofpoint)

@fichtner fichtner added this to the 21.7 milestone Feb 11, 2021
fichtner pushed a commit that referenced this issue Feb 11, 2021
@AdSchellevis @fichtner
IDS policies not mnatching categories. since categories isn't a metad…
800d423 
…ata field, our parser seems to miss the field content. In this case it should be safe to assume if a metadata field isn't found we can look in the rule properties if it's there. there likely aren't overlapping properties in this case. closes #4695

(cherry picked from commit b465a41)
@mnaiman
Copy link
Author

mnaiman commented Feb 11, 2021

perfect, fixed, thanks

@mnaiman mnaiman mentioned this issue Feb 20, 2021
Closed
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDS policies not mnatching categories. since categories isn't a metad…
9dabcda 
…ata field, our parser seems to miss the field content. In this case it should be safe to assume if a metadata field isn't found we can look in the rule properties if it's there. there likely aren't overlapping properties in this case. closes opnsense/core#4695
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
21.7
Development

No branches or pull requests
3 participants
@fichtner @mnaiman @AdSchellevis