Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes to enable/disable of Suricata IDS/IPS rulesets don't take effect with Download & Update Rules button #8092

Open
2 tasks done
neilvandyke opened this issue Nov 27, 2024 · 0 comments
Labels
support Community support

Comments

@neilvandyke
Copy link

Important notices

Describe the bug

In UI page "Services: Intrusion Detection: Administration", tab "Download", enabling or disabling rulesets, and then pressing the "Download & Update Rules" button doesn't seem to make those rule changes take effect, in the current IDS/IPS behavior of the device.

(The button spinner will appear for a long time, sometimes more than a minute, but the rules still don't take effect.)

This can give a false sense of security. It can also complicate diagnosing a problem, or (in my case) when evaluating IDS/IPS performance.

However, if you then go to tab "Settings", and press the "Apply" button (and again possibly wait a minute or more for another button spinner to finish), the rules changes on the other tab do take effect.

To Reproduce

Steps to reproduce the behavior:

  1. Make sure the Suricata IDS is set up, including going to UI "/ui/ids#settings", and making sure that "Enabled" and "IPS mode" are ON. (In my case, I had interface set to "WAN", and pattern matcher "Hyperscan".)

  2. Confirm that filtering using some access that you know will either succeed or fail, due to some ruleset. (In my case, 2 of the rulesets block a speed test server near me.)

  3. Go to UI "/ui/ids#download_settings", and toggle the enabling/disabling of the ruleset that affects that.

  4. Press the "Download & Update Rules" button.

  5. Confirm that the filtering behavior you were seeing before has not been toggled.

  6. Go to UI "/ui/ids#settings", and press the "Apply" button.

  7. Confirm that the filtering behavior you were seeing before has toggled.

Expected behavior

On the tab where I specify which rulesets to enable/disable, and then have a separate "Download & Update Rules" button that does what seems to be a very expensive operation (taking sometimes a minute or more), I expect it to have "updated" the rules that are being used by the IDS/IDP.

Describe alternatives you considered

If the current behavior is behavior, it isn't intuitive to me, and I didn't see any cues that suggested it.

The "Apply" button on the "Settings" tab presumably applies the settings that are on that tab, not being the way to apply changes from another tab.

Screenshots

(none)

Relevant log files

(none)

Additional context

(none)

Environment

  • OPNsense 24.7.9_1-amd64
  • Currently running OPNsense 24.7.9_1 (amd64) at Wed Nov 27 06:18:13 UTC 2024
  • Your packages are up to date.
@AdSchellevis AdSchellevis added the support Community support label Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support Community support
Development

No branches or pull requests

2 participants