OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: pankaj on January 08, 2022, 05:10:48 pm
-
Hi,
I am trying to add few threshold limits to reduce the frequency of alerts generated by few rules. On OPNSense, I see following files:
root@OPNsense:~ # cd /usr/local/etc/suricata/
root@OPNsense:/usr/local/etc/suricata # ls -a
. rule-policies.config
.. rule-updater.config
classification.config rules
classification.config.sample rules.config
custom.yaml suricata.yaml
installed_rules.yaml suricata.yaml.sample
opnsense.rules threshold.config
reference.config threshold.config.sample
reference.config.sample
Within threshold.config, I placed one line:
threshold gen_id 1, sig_id 2027757, type threshold, track by_src, count 1, seconds 300
And restarted IDS (& OPNSense) as you can see in the alert log below, the rule does not seem to be working as a single host is generating several alerts few seconds part:
https://imgur.com/a/mGwpyTF
If anyone has any idea what I am doing wrong here or missing on something obvious, please let me know.
Thanks.
-
Hi
did you try https://forum.opnsense.org/index.php?topic=26144.msg126264#msg126264 ?
(adding "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file)
-
@Fright thanks!
No I skipped that step and might be the reason for this problem.
The problem seemed solved with following steps:
1. In /usr/local/opnsense/service/templates/OPNsense/IDS, edited custom.yaml file and added:
include: threshold.config
2. Stopped Suricata from the UI
3. Watched the logs from command line
root@OPNsense:/usr/local/opnsense/service/templates/OPNsense/IDS # /usr/local/etc/rc.d/suricata start
Starting suricata.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file installed_rules.yaml.
8/1/2022 -- 10:29:39 - <Info> - Configuration node 'rule-files' redefined.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file custom.yaml.
The alert logs seems to be holding without any repetitive entries for the rules mentioned in threshold.config.
Thanks 8)
-
glad it works )
I would just add a
threshold-file: /usr/local/etc/suricata/threshold.config
to the custom.yaml file and add thresholds to the threshold.config but apparently your method also works ;)