OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: pankaj on December 28, 2021, 06:19:33 am
-
Hi,
While viewing the alerts for IDS, I am trying to exclude on IP address (192.168.10.8) from the displayed entries. It is my understanding that the filter text box on the top right hand corner supports regex so tried using following combinations:
- [^192.168.10.8]
- /^(?!.*192.168.10.8 ).*/
But neither of the scenarios worked properly, is there anything wrong with the regex above?
-
Hi
imho regex is not supported on this filter.
it sanitized with
preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#]/", "", $value);at backend and adds wildcards to search string.
so you actualy have *192.168.10.8* instead of [^192.168.10.8]
-
Thanks for clarifying!
-
So is their a way to filter display entries on alerts tab?
Or is the a log file that I can tail from command line and use regex?
-
As per Suricata team there are ways to suppress false positives - https://forum.suricata.io/t/suppress-alerts-around-known-false-positive/1919/2 (https://forum.suricata.io/t/suppress-alerts-around-known-false-positive/1919/2)
But I unable to figure out how to implement this in OPNSense.
https://imgur.com/a/cmQ3Vm7 (https://imgur.com/a/cmQ3Vm7)
-
not in gui imho
i think "threshold-file:" is not enabled by default
but you can try to add "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file
-
I found the actual threshold.conf file at /usr/local/etc/suricata
and it follows the same syntax the Suricata team suggested!
Thanks for your pointers!