Messages

Try loading the rules again, with no policies

Apparmor is an endpoint IPS, also Wazuh, and other third party contributions
Which all help protect our operating system and opnsense router
I still cant get opnsense to last more than around two weeks, anything that would help would be a help to us all

IDS does not Drop, Drop is only for IPS.
IDS is alert only

True no syslog in Suricata 9.0, but
 " They plan to add 'syslog' as a filetype (target) for fastlog. Which they said is essentially a 1:1 replacement
for the syslog output

If a server auto connects you to a server you may have blocked, you cant stop the connection
We need to work on that, thats hopefully on a non malicious level, but it happens with malware

Have you noticed they dont match
Traffic is missed except for pcap
I mean a real pcap not the short gui generated one

Mine works the same
I keep my logs, what if something happens to your siem, a new siem would have to ingest the old logs
I remove them to storage, I try to keep the log under a GB. thats when I delete the old files.
But my pcaps are in there too.
If anyone knows a different method, feel free. Ive read the docs

I set my save at 400, I dont know if it will actually delete any, but I dont want that
I dont know what it means by rotation, doesnt matter daily or weekly I get same result
My logs are auto rotated by size, I can get five a day
By rotated I mean a new file is started

Two ways
with a policy or by individual rule

You can change the rule to drop, go to Intrusion detection>admin>rules, enter the rule number in the search bar
Change the alert to drop

or
Use policies
Go to Intrusion detection>policy make a new policy
Leave the top action on alert, which is default
Select your whole ruleset
In the lower action change to drop
click apply
It will change all alerts to drop in that ruleset

Just note suricata is not a firewall at present.

I can tell you the firewall does not work, also suricata does not work in blocking certain IPs.
How does an IP bypass the router altogether.
If you can answer without getting in trouble, if you can answer you know already.
i could go into more detail but Im trying to stay out of trouble.
I have a vague idea how they are doing that, but my question is, is there a way to stop them, block them.

Another note, its a new installed system so there is no carry overs do to any malicious bad guys
So all the planted and in planted ways to cause a connection are not relevant in that respect.
No Im not going to bad websites of any kind.
I dont use tor. or vpns, you should know about that already
Not sending encrypted messages, no dark web

What browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS. You should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns. Just to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before. Then monitor your DNS, is it going where it should exactly. No deviations. Leave everything else about dns at default. If problems persist. Make sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM. If it still has wrong DNS then have to look at modem, and or operating system.

Just to let you know
So kapersky is no longer in the US, they did some good things though, stopping global hacking gangs, yes they are called gangs, syndicates
I found a kapersky file in wazuh but I havnt read it yet to see what it is
Ill post here is its benign

You said blocked I would start with IPS alerts, is there anything blocking there
Some sites can get blocked, disable the rule
Re enable the rule when done if its a one time thing
Its a start
Second, did you change the firewall, it was mentioned
Third can you see if dns is behaving properly, logs, pcap

If any linux users dont know
Thought I would mention that Linux mint has endpoint protection built in
It has default settings, but is readily changeable.
Its all command line but not difficult, watch some utube videos