Print Page - Question about Alerts from IDS/IPS [Closed]

Title: Question about Alerts from IDS/IPS [Closed]
Post by: pankaj on September 11, 2021, 07:25:02 PM

Hi,

I am running a dedicated VLAN for guest wifi and have just turned on IPS with all ET Pro rules enabled. In the alerts I see following log:

Code Select

2021-09-11T09:49:59.485364-0700	2014939	allowed	 	192.168.4.17	44574	192.168.4.1	53	ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR

So seems like there is a client machine with IP (192.168.4.17) making a DNS query but in the DHCP leases I do not see any entry for the IP address 192.168.4.17. Interestingly I am able to ping 192.168.4.17 from the console of OPNSense shell.

I am just trying to make sense of this log and any pointers will be helpful.

Thanks.

Title: Re: Question about Alerts from IDS/IPS
Post by: pankaj on September 11, 2021, 07:47:26 PM

I did a nmap with verbosity and turns out it was my own laptop which I have assigned a static IP for testing few weeks back!

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: pankaj on September 11, 2021, 07:25:02 PM