Messages

The length of time is set in the rule if it isnt a permanent block
To change block time you have to change it in the rule on your system, be aware it resets when rules are downloaded again
On your system get the rule, change it, put it back via sftp
Never heard of or seen a false positive
Rules are set to trigger, it isnt false
Would need more information on that

Could use more information, meaning more specific and how its running and on what.
You cant have IDS and IPS at the same time, one or the other
What do you have enabled as far as rules. Just the defaults?
Are you making changes when you get errors
What do you mean by stats
If you know how to query the log folder, did you check out the json file, is that the stats your looking for

First what are you calling an alert, and what are you calling a drop. And why cant you find the notifications.
Admin alerts or log files.
Its all there. Do you need help?

I like the look of the forum, but, is there a way to change the background color scheme to dark
Its rather blinding
thanks

with http extinct most packets trigger off the headers, since payload is encrypted, it can be done
with some extra work

you got it, just remove it from the main policy and put that ruleset in its own policy
Note, dont do individual rule changes unless necessary, policys are better
Individual changes will go back to default with a rule update
And it bogs down the system efficiency with to many
If you have many individual changes or want to add your own
Best would be to ssh into the system and pull the ruleset
Change it and put it back manually and click apply
Shouldnt have trouble with the default rules being dropped
But may have to alter some if enabling all rules

I havnt mentioned in this post "time"
After you click apply once in the rules, wait ten minutes before clicking it again.
Only click it a maximum of three times, then wait six hours to click again
Why, you just told it to rewrite 50,000 rules three times, stored in RAM
For a total of 150,000 writes in two databases making 300,000 writes total
And I believe it runs as background so its a little slow
It is activated, I think maybe running in RAM before its written
I can see my RAM usage go up every time I click apply
But if you click apply to much and to fast,suricata will self destruct
Im thinking it runs out of RAM space, feel free to correct me

chemlud
Yes a rule update will reset your individual changes

one other thing to mention, are you reading it correctly? It can say alert, but,
what does the "action" say. It should say alert or drop depending on what you set it to.
You can have alert and drop in the same instance in the log file.
But under alerts in Administration it should say drop

There are some IPV6 rules, the protocol is not used much, and no I dont get rule hits on IPV6
The bots and hackers mainly use IPV4
And browser hackers are already in your system via the browser when you open their page and its IPV4

Sounds like filter the WAN
You want to filter all incoming traffic through opnsense destined to your home network
Dont forget to add your WAN IP in the advanced options of Intrusion Detection Admin for rulesets to work
I cant say much for ISP routers without a rant

The suricata rules are updated in the opnsense repository. It doesnt use or need suricata-update as far as I can tell.
All we have to do is click update rules in opnsense.
As far as rules, yes suricata has a few rules not in the opnsense rulesets, but I have not had a single hit on them yet.
The yaml is locked for security and duplication at reload
I think you can set up queues to run scripts if that is needed.
Hope that helps
Is there a problem with the rulesets?

check the box flush cache on reboot, then reboot, check logs

Yes thats what it is used for
It ties your IP address to the rulesets

Nope the correct box for DHCP address is in Intrusion Detection>Administration>click advanced in upper left>
and enter the IP or IP range in the home networks box, and delete the ones you dont need
Or if yours is one of the two defaults, its already done, delete the one you dont need
I havnt tested it but may also enter your static address here too
It ties your IP to the suricata rulesets
Took me awhile to find it