Messages

sir,
I have been send the email through PM, please check it out, thanks in advanced.

Sorry to bring the topic back, I have been trying to order the etpro telemetry for couple time with different account, and send multiple email to contact@opnsense.org or sales@opnsense.org, but nothing happen, the order are always declined with no reason. well, the reply email said:
Your order has been declined due to inconsistencies in your application,
but I don't get the point.

anybody successful get the valid token recently?

Two ways
with a policy or by individual rule

You can change the rule to drop, go to Intrusion detection>admin>rules, enter the rule number in the search bar
Change the alert to drop

or
Use policies
Go to Intrusion detection>policy make a new policy
Leave the top action on alert, which is default
Select your whole ruleset
In the lower action change to drop
click apply
It will change all alerts to drop in that ruleset

Then, the policy will apply to both IDS and IPS mode right? no matter which mode it's on.

hello, sir.

I got no reply after sent letter to sales@opnsense.org and contact@opnsense.org after 3 days. any suggestion to push a progress?

I create & apply a new policy:

```
/usr/local/etc/suricata/rule-policies.config
[71b2ac5f6ed2473d94c5ad5f4b2ae28b]
enabled=1
prio=0
rulesets=emerging-attack_response.rules,emerging-dos.rules,emerging-exploit.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-info.rules,emerging-malware.rules,emerging-misc.rules,emerging-p2p.rules,emerging-scan.rules,emerging-sql.rules,opnsense.social_media.rules
content=
action=alert
__target_action__=drop
__policy_id__=71b2ac5f-6ed2-473d-94c5-ad5f4b2ae28b
__policy_description__=-
```


BEFORE created policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json

```
...
{
  "timestamp": "2025-11-05T16:30:03.731607+0800",
  "flow_id": 890432422023188,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 64517,
  "dest_ip": "172.16.14.100",
  "dest_port": 5802,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2002910,
    "rev": 6,
    "signature": "ET SCAN Potential VNC Scan 5800-5820",
    "category": "Attempted Information Leak",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:30:03.731607+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 64517,
    "dest_port": 5802
  }
}
...

ATTACKER:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:29 EST
Nmap scan report for 172.16.14.100
Host is up (0.0010s latency).
Not shown: 999 closed tcp ports (reset)
PORT  STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds

```

AFTER created and apply a policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json
```
{
  "timestamp": "2025-11-05T16:43:19.949197+0800",
  "flow_id": 2106448014443784,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 54695,
  "dest_ip": "172.16.14.100",
  "dest_port": 3306,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 2010937,
    "rev": 3,
    "signature": "ET SCAN Suspicious inbound to mySQL port 3306",
    "category": "Potentially Bad Traffic",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:43:19.949197+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 54695,
    "dest_port": 3306
  }
}


attacker:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:43 EST
Nmap scan report for 172.16.14.100
Host is up (0.0018s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open    ssh
1433/tcp filtered ms-sql-s
1521/tcp filtered oracle
3306/tcp filtered mysql
5432/tcp filtered postgresql

Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds


question:

1. Is that the righ method to create such policy to achieve my goal?
2. why the nmap show 22 is open, but 3306 is filtered after applied the new created policy(action is from alter to drop)?

Hello, community
I just touch suricata yesterday, there are some new concept I am trying to catchup.
I have download and apply et open rules, and successful make suricata generated an alert by utilizing an attacker@$external_net to nmap -sS -T4 server@$home_net.
But even after I enable IPS mode, suricata still allow packet go through which match the et open rules.
How to make suricata to drop the evil packet if match rules when on IPS mode?

I did, I have been sent two letters to sales@opnsense.org and contact@opnsense.org, yesterday and half a hour ago. no reply

I have been apply an order of et pro telemetry. but the system cancelled it automatically, but I don't know why.
How to correctly apply it?
---
here is the reason what it said:
The following note has been added to your order:

Your order has been declined due to inconsistencies in your application, if you believe the provided data is valid, just send an email to contact@opnsense.com and ask us to validate your application manually.