English Forums > Intrusion Detection and Prevention

IDS block time

(1/4) > >>

dcol:
I just realized that OPNsense has a set time to release a block for IDS. What is this time period and is it possible to make it adjustable or change the value from the shell?

Here is a screenshot from the console, but not sure if this is IDS related. If not, then what does this message mean?

franco:
SEGVGUARD is an exploit mechanism in HardenedBSD that will prevent brute force attacks against services: it will prevent services from restarting when (being) crashed too many times, which can be a symptom of someone trying to attack your system remotely trying to execute arbitrary code. IT can also be a problem with persistent crashes of daemons due to misconfiguration or software bugs that are not exploitable.

Long story short, something is causing your syslogd to crash, either due to configuration or a bad system state or otherwise.


Cheers,
Franco

dcol:
What about the IDS block release time? How long does OPNsense allow to pass before it releases an IDS block, If ever. Also, where can I see a list of currently blocked IP's?

franco:
Blocks are inline per flow once drop kicks in via rule, not based on IP. I don't think we have a blacklist feature for offending IPs. But I could be wrong.


Cheers,
Franco

dcol:
Blocks aren't inline unless you turn on IPS. When an IDS block is triggered, is the offender placed in a block table then managed by the firewall? This is how I have the pf box setup.

Navigation

[0] Message Index

[#] Next page