OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: opleksin on July 24, 2020, 06:57:51 pm

Title: Send IPS alerts by e-mail
Post by: opleksin on July 24, 2020, 06:57:51 pm

I successfully set up and configured IPS in opnsense. If I try to open a TCP connection from inside my network to a host listed, e.g., in the ET botnet list, the connection is blocked and I get an alert. So far, so good.

The problem is: The alert shows up in the opnsense web UI. I don't want to regularly check the web UI for alerts. If an alert happens, I'd like to be notified (by e-mail), so that I can investigate whether this is a security incident or a false positive.

Is there some built-in functionality in opnsense to activate this kind of e-mail notification? I activated Monit, but none of the built-in service alerts seems to relate to the IPS.

Thanks and best regards

Title: Re: Send IPS alerts by e-mail
Post by: mimugmail on July 25, 2020, 07:57:47 am

https://github.com/opnsense/docs/blob/master/source/manual/monit.rst

Example 3

Title: Re: Send IPS alerts by e-mail
Post by: Julien on August 19, 2020, 11:28:48 pm

This is really handy have you managed to configure it ?

Title: Re: Send IPS alerts by e-mail
Post by: XeroX on August 23, 2020, 12:06:44 am

Yes, but I find this more annoying than helpful.

Title: Re: Send IPS alerts by e-mail
Post by: chemlud on August 23, 2020, 11:45:00 am

...if you are not interested in what's going on in your network simply turn off suricata :-p

Carefully select your rulesets for your use case and turn off false positives ove time. IPS is not a feature you turn on and forget about it...

Title: Re: Send IPS alerts by e-mail
Post by: XeroX on August 23, 2020, 02:57:35 pm

I agree if running IDS, but I'm running IPS. I want to block malicous traffic to my exposed systems.

I don't need notifications for any DShield blocks so I check that manually from day to day.