
{
"status": "ok",
"severity": "medium",
"verdict": "investigate",
"summary": "External IP 198.51.100.22 is conducting potential SSH scanning
activity against internal server 10.0.0.1 on port 22.",
"reasoning": "The alert indicates reconnaissance activity with unidirectional
traffic (4 packets sent, 0 received) suggesting connection attempts
without successful establishment. The source IP is probing SSH
which could indicate automated scanning or brute force preparation.",
"recommended_action": "Check firewall logs for additional connection attempts
from this IP, review SSH auth logs on 10.0.0.1, and
consider rate limiting or blocking if pattern continues.",
"src_ip": "198.51.100.22",
"dst_ip": "10.0.0.1",
"ioc": ["198.51.100.22"],
"mitre_tactic": "Discovery",
"confidence": 75,
"timestamp": "2026-03-15T03:55:13Z"
}
scp claudeids-plugin.tar.gz root@192.168.1.1:/tmp/
ssh root@192.168.1.1
cd /tmp && tar -xzf claudeids-plugin.tar.gz && sh claudeids-plugin/install.sh
/usr/local/etc/inc/plugins.inc.d/claudeids.inc plugin registration
/usr/local/opnsense/mvc/app/
controllers/OPNsense/ClaudeIDS/
IndexController.php UI page controller
Api/TriageController.php REST API + Claude calls
models/OPNsense/ClaudeIDS/
ClaudeIDS.xml / ClaudeIDS.php settings model
ACL/ACL.xml access control
Menu/Menu.xml sidebar registration
views/OPNsense/ClaudeIDS/
index.volt dashboard UI
/usr/local/sbin/claudeids-watcher.py auto-triage daemon
/usr/local/opnsense/service/conf/actions.d/claudeids.conf configd actions
/var/log/claudeids/triage.json triage history (runtime)
/var/log/claudeids/watcher.log daemon log (runtime)
POST /api/claudeids/triage/analyze triage a single alert (alert=<string>)
POST /api/claudeids/triage/batch triage an array (alerts=<json array>)
GET /api/claudeids/triage/history last 200 triage records
POST /api/claudeids/triage/block manually block an IP (ip=<addr>)
GET /api/claudeids/triage/getSettings read current settings
POST /api/claudeids/triage/saveSettings write settings to config.xml
sh /tmp/claudeids-plugin/uninstall.sh
Quote from: dirtyfreebooter on Today at 03:02:51 AMi don't think its any of those based on the TDPs.[...]