Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS alert logs [Solved]
« previous
next »
Print
Pages: [
1
]
Author
Topic: IDS alert logs [Solved] (Read 3412 times)
pankaj
Full Member
Posts: 117
Karma: 5
IDS alert logs [Solved]
«
on:
December 28, 2021, 06:19:33 am »
Hi,
While viewing the alerts for IDS, I am trying to exclude on IP address (192.168.10.
from the displayed entries. It is my understanding that the filter text box on the top right hand corner supports regex so tried using following combinations:
[^192.168.10.8]
/^(?!.*192.168.10.8 ).*/
But neither of the scenarios worked properly, is there anything wrong with the regex above?
«
Last Edit: January 02, 2022, 03:26:15 am by pankaj
»
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IDS alert logs
«
Reply #1 on:
December 29, 2021, 09:21:34 am »
Hi
imho regex is not supported on this filter.
it sanitized with
Code:
[Select]
preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#]/", "", $value);
at backend and adds wildcards to search string.
so you actualy have *192.168.10.8* instead of [^192.168.10.8]
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: IDS alert logs
«
Reply #2 on:
December 31, 2021, 02:13:48 am »
Thanks for clarifying!
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: IDS alert logs
«
Reply #3 on:
December 31, 2021, 03:18:14 am »
So is their a way to filter display entries on alerts tab?
Or is the a log file that I can tail from command line and use regex?
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: IDS alert logs
«
Reply #4 on:
December 31, 2021, 03:47:32 am »
As per Suricata team there are ways to suppress false positives -
https://forum.suricata.io/t/suppress-alerts-around-known-false-positive/1919/2
But I unable to figure out how to implement this in OPNSense.
https://imgur.com/a/cmQ3Vm7
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IDS alert logs
«
Reply #5 on:
December 31, 2021, 09:40:07 am »
not in gui imho
i think "threshold-file:" is not enabled by default
but you can try to add "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: IDS alert logs
«
Reply #6 on:
January 02, 2022, 03:09:04 am »
I found the actual threshold.conf file at /usr/local/etc/suricata
and it follows the same syntax the Suricata team suggested!
Thanks for your pointers!
«
Last Edit: January 02, 2022, 03:25:56 am by pankaj
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS alert logs [Solved]