Ruleset uncheck BUG

There is a BUG. If I uncheck a ruleset and think all its rules are unchecked as well I’m surprised that this is not the case. There is no way to uncheck all rules of a ruleset, just as I can activate all rules of an ruleset by checking the ruleset only.

Guess, you are talking about IPS rulesets, right?

Unfortunately, this is not a bug but a feature. At least there is no way to check/uncheck a group and all of its subitems get checked/unchecked as well.

This is by intention and this feature has been requested many times before. I guess instead of mass activating rules, the devs think you should better think twice which rule to activate, because not every rule is necessary and many rules will certainly have negative impact on performance on IPS or your machine.

Hence no automatism is availabel or planned, so far…

No this is a bug because otherwise the ceckbox is useless. I didn’t have to check all the rules of one ruleset to get the whole ruleset checked/activated.

As an result of this (because I’m not willing to uncheck hundreds of rules manually) I’ve deactivated IPS at all. If that’s the intention of the developer I have to say: good job :vulcan_salute: :upside_down_face:

Rest assure this is not a bug :smirk: because we (the users) have requested this many times before and got a negative answer.

You will have to check/uncheck each single rule yourself, sorry for this answer, but I’m hit by this unfortune solution although.

There is a BUG. If I uncheck a ruleset and think all its rules are unchecked as well I’m surprised that this is not the case. There is no way to uncheck all rules of a ruleset, just as I can activate all rules of an ruleset by checking the ruleset only.

Hello Terry,

when you uncheck a ruleset also all enabled rules inside the ruleset are disabled.

Or in other words, enabled rules inside a ruleset only will be loaded and used if the ruleset also is enabled!

So there is no need to disable the ruleset and the single rules inside…

Best regards,

-Stefan

That’s not the case. I run a tor relay and the ips triggered (until today - ruleset disabled) still intrusions with rules of that ruleset so the relay was not functioning. I didn’t know before that the tor relay may conflict with that ips ruleset so it was activated till last week.

I wasn’t aware that this ever happens.

OTH if I check the group I would expect that all subitems get visually checked, too. This happens within other tree views (at least with most Windows controls), too.

It doesn’t. That’s the problem.

The rulesets ship with some of the rules enabled and some disabled by design. It’s a really bad idea to enable all of the rules:

  • You’ll almost certainly break something (for example, there are rules blocking software updates).

  • Some of the rules won’t do anything in your network (for example, rules targeting MS Windows software when you don’t use Windows).

  • There are rules which are alternatives (an example might be rules that block all PDFs v. rules that only block PDFs with certain types of content).

  • You’ll use a lot of processing power.

There is no way that anyone other than you could work out which rules should be enabled for you, which is why the system doesn’t try.

Off topic.

Stevee there is a bug. I have the same issues. It looks like the reload after saving the ruleset will not work correctly.

Try to stop and restart suricata after disabling a ruleset group.

https://bugzilla.ipfire.org/show_bug.cgi?id=12340

I think there’s some confusion here. @stevee and @arne_f, Please correct me if I am wrong:

  1. Unchecking the box next to the ruleset disables all of the rules in that ruleset.
  2. Checking/unchecking the individual rules within a ruleset only determines whether that rule will be enabled when that ruleset is enabled. Even if it’s checked, it will be disabled if the rulset is disabled.
  3. As @arne_f pointed out in his last message, there is a separate issue that disabling a ruleset in the WUI does not seem to force a proper reload, meaning that the ruleset will remain enabled until Suricata is properly restarted/reloaded.

Does that sound right?

That’s usually the meaning of a group checkbox, but as you point out in 3. it doesn’t work correctly.

@xperimental: Have you tried restarting suricata after disabling the group checkbox, as @arne_f suggested? Does it work properly at that point?

Tom

Observe the same and was about to ask in a post, the behaviour of the check box on the IPS page got me confused.

Basically, should I check all those boxes (on the first level) in order to enable the rule set?

Hi,

this should be fixed in Core Update 143. Do you still observe this in the current version of IPFire?

Thanks, and best regards,
Peter Müller