OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: pankaj on January 08, 2022, 05:10:48 pm

Title: Threshold.config does not seem active [Solved]
Post by: pankaj on January 08, 2022, 05:10:48 pm

Hi,

I am trying to add few threshold limits to reduce the frequency of alerts generated by few rules. On OPNSense, I see following files:

Code: [Select]

root@OPNsense:~ # cd /usr/local/etc/suricata/
root@OPNsense:/usr/local/etc/suricata # ls -a
. rule-policies.config
.. rule-updater.config
classification.config rules
classification.config.sample rules.config
custom.yaml suricata.yaml
installed_rules.yaml suricata.yaml.sample
opnsense.rules threshold.config
reference.config threshold.config.sample
reference.config.sample

Within threshold.config, I placed one line:

Code: [Select]

threshold gen_id 1, sig_id 2027757, type threshold, track by_src, count 1, seconds 300

And restarted IDS  (& OPNSense) as you can see in the alert log below, the rule does not seem to be working as a single host is generating several alerts few seconds part:

https://imgur.com/a/mGwpyTF

If anyone has any idea what I am doing wrong here or missing on something obvious, please let me know.

Thanks.

Title: Re: Threshold.config does not seem active
Post by: Fright on January 08, 2022, 06:29:27 pm

Hi
did you try https://forum.opnsense.org/index.php?topic=26144.msg126264#msg126264 ?
(adding "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file)

Title: Re: Threshold.config does not seem active
Post by: pankaj on January 08, 2022, 06:37:26 pm

@Fright thanks!

No I skipped that step and might be the reason for this problem.

The problem seemed solved with following steps:

1. In /usr/local/opnsense/service/templates/OPNsense/IDS, edited custom.yaml file and added:

Code: [Select]

include: threshold.config
2. Stopped Suricata from the UI
3. Watched the logs from command line

Code: [Select]

root@OPNsense:/usr/local/opnsense/service/templates/OPNsense/IDS # /usr/local/etc/rc.d/suricata start
Starting suricata.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file installed_rules.yaml.
8/1/2022 -- 10:29:39 - <Info> - Configuration node 'rule-files' redefined.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file custom.yaml.

The alert logs seems to be holding without any repetitive entries for the rules mentioned in threshold.config.

Thanks  8)

Title: Re: Threshold.config does not seem active [Solved]
Post by: Fright on January 08, 2022, 08:04:50 pm

glad it works )
I would just add a

Code: [Select]

threshold-file: /usr/local/etc/suricata/threshold.configto the custom.yaml file and add thresholds to the threshold.config but apparently your method also works  ;)