OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: pankaj on September 11, 2021, 07:25:02 pm

Title: Question about Alerts from IDS/IPS [Closed]
Post by: pankaj on September 11, 2021, 07:25:02 pm

Hi,

I am running a dedicated VLAN for guest wifi and have just turned on IPS with all ET Pro rules enabled. In the alerts I see following log:

Code: [Select]

2021-09-11T09:49:59.485364-0700 2014939 allowed 192.168.4.17 44574 192.168.4.1 53 ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
So seems like there is a client machine with IP (192.168.4.17) making a DNS query but in the DHCP leases I do not see any entry for the IP address 192.168.4.17. Interestingly I am able to ping 192.168.4.17 from the console of OPNSense shell.

I am just trying to make sense of this log and any pointers will be helpful.

Thanks.

Title: Re: Question about Alerts from IDS/IPS
Post by: pankaj on September 11, 2021, 07:47:26 pm

I did a nmap with verbosity and turns out it was my own laptop which I have assigned a static IP for testing few weeks back!