Custom Rules for IDS/IPS in OPNsense 24.7

secdoc · August 07, 2024, 10:09:05 PM

Is there there a way to create custom rules for IDS in 24.7?

I am specifically wanting to create an alert for GRE.

# Alert on GRE traffic to a specific IP
alert ip any any -> {IP ADDRESS} any (msg:"GRE traffic to specific IP"; ip_proto:47; sid:1000002; rev:1;)

# Alert on high-volume GRE traffic
alert ip any any -> any any (msg:"High volume GRE traffic"; ip_proto:47; threshold: type both, track by_src, count 1000, seconds 60; sid:1000003; rev:1;)

The current user defined option does not cut it...

Custom Rules for IDS/IPS in OPNsense 24.7

secdoc

August 07, 2024, 10:09:05 PM Last Edit: August 07, 2024, 10:18:58 PM by secdoc