Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS only shows allowed actions in alerts
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS only shows allowed actions in alerts (Read 3704 times)
manuel
Newbie
Posts: 26
Karma: 1
IPS only shows allowed actions in alerts
«
on:
January 23, 2019, 09:25:36 am »
Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on
https://wiki.opnsense.org/manual/how-tos/ips-feodo.html
and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.
Does my IPS really do his job? How can I test it and force a blocked action?
Thank you very much for your help.
Greetings,
Manuel
Logged
xmichielx
Newbie
Posts: 44
Karma: 0
Re: IPS only shows allowed actions in alerts
«
Reply #1 on:
January 24, 2019, 06:12:41 pm »
try changing the interface that suricata is checking on from wan -> lan since the connection will be made from the lan side.
Logged
manuel
Newbie
Posts: 26
Karma: 1
Re: IPS only shows allowed actions in alerts
«
Reply #2 on:
January 30, 2019, 08:35:29 am »
Hello xmichielx
Thank you very much for your answer. So only LAN instead of WAN should be selected in Settings --> interfaces
? I currently only have WAN interface according to the opnsense Wiki selected.
I'll try this asap.
Greetings Manuel
Logged
manuel
Newbie
Posts: 26
Karma: 1
Re: IPS only shows allowed actions in alerts
«
Reply #3 on:
March 01, 2019, 07:49:03 am »
Hello together
I never managed to get IPS up and running on 18.7.9 and suricata 4.0.6. I still only see "Action allowed" in the Alert tab of Intrusion Detection Administration whatever rules (abuse and some opnsense) I have activated. Hardware Offloading on NIC is disabled and WAN and even LAN interface is activated.
Any idea to get also some drop actions?
Thank you very much for your help.
Manuel
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS only shows allowed actions in alerts