Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPS alerting disabled rules - part 2 #4753

Closed
mnaiman opened this issue Feb 25, 2021 · 3 comments
Closed

IPS alerting disabled rules - part 2 #4753

mnaiman opened this issue Feb 25, 2021 · 3 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
21.7

Comments

@mnaiman
Copy link

mnaiman commented Feb 25, 2021

Continuation of #4725

Software version used and hardware type if relevant, e.g.:
image

Steps to reproduce the behavior:

  1. Install package os-intrusion-detection-content-snort-vrt
  2. Configure rules
    image
  3. Enable all rules
  4. Create policy
    image
  5. Verify, that rule is disabled by policy - ok
    image
  6. Wait for alerts
    image

This should not happened. If it is disabled it should not appear at all.

Any idea?
@kulikov-a
Copy link
Member

kulikov-a commented Feb 25, 2021
edited
Loading

can confirm that policies with __target_action__=disable not commenting rules in opnsense.rules files out.
imho there is a typo when checking the status of the rule in the cache db

core/src/opnsense/scripts/suricata/installRules.py

Line 69 in 70f856b

if (rule_updates[rule_info_record['metadata']['sid']]['enabled']) == '0':

!= '1' works good for me

@kulikov-a kulikov-a mentioned this issue Feb 26, 2021
Closed
@AdSchellevis AdSchellevis self-assigned this Feb 26, 2021
@AdSchellevis AdSchellevis added the bug Production bug label Feb 26, 2021
@AdSchellevis
Copy link
Member

got it, looks like a type error

core/src/opnsense/scripts/suricata/lib/rulecache.py

Lines 105 to 110 in b465a41

if configured_policies[policy_match]['__target_action__'] == 'disable':
local_change['enabled'] = False
elif configured_policies[policy_match]['__target_action__'] == 'default':
local_change['enabled'] = rule['metadata']['enabled']
else:
local_change['enabled'] = True

@fichtner fichtner added this to the 21.7 milestone Feb 26, 2021
@mnaiman
Copy link
Author

mnaiman commented Feb 26, 2021

wow, now it works as expected, thanks

@mnaiman mnaiman mentioned this issue Feb 26, 2021
Closed
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
Service / Intrusion Detection / Policies: type error in 'enabled' fie…
1155f0c 
…ld (bool vs str), closes opnsense/core#4753
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
21.7
Development

Successfully merging a pull request may close this issue.

IDS/IPS: disable rules by Policy Action kulikov-a/core
4 participants
@fichtner @mnaiman @AdSchellevis @kulikov-a