I successfully set up and configured IPS in opnsense. If I try to open a TCP connection from inside my network to a host listed, e.g., in the ET botnet list, the connection is blocked and I get an alert. So far, so good.
The problem is: The alert shows up in the opnsense web UI. I don't want to regularly check the web UI for alerts. If an alert happens, I'd like to be notified (by e-mail), so that I can investigate whether this is a security incident or a false positive.
Is there some built-in functionality in opnsense to activate this kind of e-mail notification? I activated Monit, but none of the built-in service alerts seems to relate to the IPS.
Thanks and best regards
No, only via external syslog or similar
OK, thanks for the quick reply!
Ok Thanks, I had the same question a week ago.
https://forum.opnsense.org/index.php?topic=14648.0
For future readers: An example for how to set this up has been added to the opnSense/monit documentation:
https://docs.opnsense.org/manual/monit.html
Credit goes to this thread: https://forum.opnsense.org/index.php?topic=17967.0 (https://forum.opnsense.org/index.php?topic=17967.0); my thanks go to FullyBorked for finding out how to do it and to mimugmail for adding it to the docs!