IPS rule selection

andy120 · 3 February 2022 07:12

Is there a way of enabling all rules with a subset instead of having to click 100+ boxes?

trish · 4 February 2022 06:55

Good question, I haven’t figured it out this either.

I it helps, the actual rules are stored and updated in

/var/lib/suricata/

stevee · 5 February 2022 12:33

Hello Andy,

no this is currently not possible - you only can do this via command line and in this case is is not persistent, so next time the ruleset gets updated the changes are gone again.

Feel free to open a feature request on the IPFire bugtracker: https://bugzilla.ipfire.org

Best regards,

-Stefan

bonnietwin · 5 February 2022 13:10

The downside of having a select all sub-rules button is that it will get pressed without thinking about the appropriateness of the individual rules to your specific network situation.
I believe that the default selected sub-rules for a ruleset are defined by suricata on the basis that they are “unlikely” to give unintended consequences.
I remember hearing about a non default rule on this forum that, if I remember right, checks for use of shellcode. If you use apt-get with Debian or Ubuntu that rule blocks the OS update traffic. There have been forum threads on that issue.

The benefit of the current situation is it gives the opportunity to think about the appropriateness of what is being selected and maybe reading up about what the sub-rule actually does.

If a select all button is implemented then I would also suggest adding a revert to default button as I am sure that the button will be pressed accidentally and then there will be requests for how to set the sub-rules back to the default selection.

jon · 5 February 2022 19:49

I strongly agree with Adolf’s comments!

Also -

That one bit me for a few days! When I enabled a single rule, one of the sub-rules blocked anything related to apt. Very frustrating to figure out!

There was also one sub-rule that blocked my DNS. (I’ll see if I can find that one)

trish · 18 February 2022 07:49

There are even rules that block remote monitoring, SSH, etc
Easy way to get locked out

Big pain to fix.

pmueller · 18 February 2022 10:19

Hi,

as @bonnietwin already mentioned, this is why we do not really want to provide a “enable all rules under this category” switch.

Yes, if you know your network and what you are doing, ticking more than a handful of checkboxes is tedious. (Actually, in such cases, it might make sense to ask the IPS ruleset provider why the rules in question are not enabled by default.) But it will prevent inexperienced users from disrupting their network by a single click.

Thanks, and best regards,
Peter Müller

andy120 · 18 February 2022 20:16

Understandable. perhaps only specific sections like malware.

Andy

trish · 18 February 2022 23:03

If anyone is interested, this might be a way to get in touch with ET . unless you have a paid ET PRO
https://feedback.emergingthreats.net/feedback