OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: ccigas on December 28, 2020, 07:33:33 pm
-
Hello everyone, I just made the switch from pfSense which I liked Suricata a lot in. After configuring my network I installed Suricata and went to the Intrusion Detection section to get started but its just a world of difference to me between OPNSense and pfSense and the way each have Suricata.
So I was hoping to ask a few questions.
1) Is there a way to suppress alerts like on pf?
2) When adding rulesets in pf it was just select and go, I see here its like that under Download but when I go to Rules there are 59 pages of rules with no all selected. I am curious how these are picked to be enabled or not?
3) I also see there are no settings to block an IP for a certain length, is there a way to add that? Is the current config blocked indefinitely?
4) Once an IP is blocked, will there be a Blocked tab at all or does it just show in alerts?
Thanks! I am also open for any tweaking tips too.
-
This seems to be the known unknown in Opnsense. No-one seems to be able to support Suricata, it's a black art.
I can't even get mine going - no alerts ever show up.
-
Hi,
I have it working but only monitoring the WAN as i have a few open ports and wanted to monitor.
The 2 things that really helped me was i set up monit to email when i had an alert or block.
That then showed me which rules were worth enabling / what is being attacked.
Also i have enabled certain rules based on what i do / use my fw for.
The way i did this was use the filter under rules. eg applcation/web server and DOS attacks
that loads the rules
then select all
then at the bottom click drop and it changes them to drop.
apply
i also stop and start the service.
Lastly it seems if i change from alert to block that i go back to download.
tick everything then download and update rules
not sure which bit works but that gets the block rules working.
-
2) If I'm remembering correctly, the rules are downloaded and enabled. The action is dependent on the default action of the rule. If a rule is in black, it is enabled. If the rule is in gray, it is not enabled (not in use). Also to the right of the rule are check boxes that coincide with the color I just mentioned.
3)I would also like to know. I'm seeing different activity from what I remember with pfsense. I think you select different times as to block an IP which has set off a rule. From what I have been seeing, the traffic is blocked and the IP is not blacklisted for X amount of time.
4)There is no block tab. I have only see alerts. Also make sure to pay attention to the tips / notes in the IPS documentation. You will have problems due to incorrect cofiguration.
For the other post - marshalleq, I don't think suricata is a "black art". It has been used with various other O.S.es. The documentation for opnsense is not the best, but the forum has helped me when I needed it.
Did you enable suricata, IPS mode, and Promiscuous mode? You also have to make other changes to your FW.