Is there a way to monitor IDS IPS stats in the GUI ? (redirect)

[alex_62450]

Hi to the OPNsense community,


disclaimer: this is a redirect/repost from a post I made about IPS in the general production series, while there is in fact a specific forum for IPS, hence putting it in the the proper place :)


OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

The question is : Is there a way to monitor IDS/IPS stats in the GUI, ie. to get an overview ?

For instance, checking log files (/var/log/suricata), I could recently notice, on some specific days, a very unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

In the present case, the high number of buffer error messages (for a home lab) has also probably disabled the protection provided by IPS, as the number of other sorts of messages is much below the normal order of magnitude for daily logs.

By the way, there is another issue: having previously looked at the overall free space on disk with the df command, the output doesn't reflect the actual (and abnormal) size of the Suricata logs; it seems that the correct information is provided with ls when querying the log folder such as for Suricata.

Many thanks,

[someone]

Could use more information, meaning more specific and how its running and on what.
You cant have IDS and IPS at the same time, one or the other
What do you have enabled as far as rules. Just the defaults?
Are you making changes when you get errors
What do you mean by stats
If you know how to query the log folder, did you check out the json file, is that the stats your looking for

[alex_62450]

Thanks for your reply!

You cant have IDS and IPS at the same time, one or the other

Yes, indeed :-) but I mentioned IDS/IPS together as my question applies similarly to both IDS and IPS.

What do you have enabled as far as rules. Just the defaults?

At the moment, the enabled rules are the default ones, changing some from "block" to "allow" and vice versa, and that was fine.

The issue is that it takes to go into /var/log/suricata to be in a position to realize that the amount of alerts went through the roof:
- a first day, 46 million of "No buffer space available"
- then a second day, 210 million of the same error message.

For a home lab, such figures mean that the IPS (as it was the mode I enabled) was not functional.

That situation was also uneasy to spot as it looks that, moreover,the "df" command doesn't seem to work as it should, which delayed the moment I could identify this situation. That happens in the context when I am trying to identify an odd behavior in the OPNsense box which is asynchronously probing my LAN on ports 22=>80=>22, and then doing the same towards the ISP.

This incident is addressed in this other post: 
https://forum.opnsense.org/index.php?topic=46311.15

In OPNsense, I find the dashboard very useful to notice, at a glance, whether a gateway is up or down or whether any of the services are running. Wondering please if there is any possibility in OPNsense - widget, plugin or other - to get instantly such information about the IDS/IPS, eg. simple high-level stats or an overview to get a heads-up signal ?

Many thanks.