OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: manuel on January 23, 2019, 09:25:36 am

Title: IPS only shows allowed actions in alerts
Post by: manuel on January 23, 2019, 09:25:36 am

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

Title: Re: IPS only shows allowed actions in alerts
Post by: xmichielx on January 24, 2019, 06:12:41 pm

try changing the interface that suricata is checking on from wan -> lan since the connection will be made from the lan side.

Title: Re: IPS only shows allowed actions in alerts
Post by: manuel on January 30, 2019, 08:35:29 am

Hello xmichielx
Thank you very much for your answer. So only LAN instead of WAN should be selected in Settings --> interfaces  ???? I currently only have WAN interface according to the opnsense Wiki selected.

I'll try this asap.

Greetings Manuel

Title: Re: IPS only shows allowed actions in alerts
Post by: manuel on March 01, 2019, 07:49:03 am

Hello together
I never managed to get IPS up and running on 18.7.9 and suricata 4.0.6. I still only see "Action allowed" in the Alert tab of  Intrusion Detection Administration whatever rules (abuse and some opnsense) I have activated. Hardware Offloading on NIC is disabled and WAN and even LAN interface is activated.

Any idea to get also some drop actions?

Thank you very much for your help.

Manuel