OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: vyruz on February 24, 2017, 10:20:30 am

Title: IDS/IPS: Possible to save packets for later inspection?
Post by: vyruz on February 24, 2017, 10:20:30 am
Hi everyone,

I just finished setting up OPNSense on my Dell Poweredge R210 II server, which is replacing my Asus RT-N66U which started having problem coping with my 230Mbit downlink I recently was upgraded to :-)
I was doubting for a long time whether I should go with PFSense or OPNSense, but now I have OPNSense I don't regret it at all.

One of my goals is to setup an IDS(/IPS) system to see if something funny is happening in my network. I did this a long time ago on a dedicated linux box using Snort. I don't remember the details of that setup I had back then, but I remember there was one option somewhere that allowed snort to save all network packets that triggered an IDS rule for x amount of time. This was quite useful because some rules do require some further investigation to decide whether it's something malicious or normal behaviour.

So my question is, is there an option like this somewhere in OPNSense/Suricata? I've setup IDS now and am getting some alerts I'd like to further investigate, but OPNSense only shows me the source and destination IP, which isn't always enough.