IPS only shows allowed actions in alerts

manuel · January 23, 2019, 09:25:36 AM

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

xmichielx · January 24, 2019, 06:12:41 PM

try changing the interface that suricata is checking on from wan -> lan since the connection will be made from the lan side.

manuel · January 30, 2019, 08:35:29 AM

Hello xmichielx
Thank you very much for your answer. So only LAN instead of WAN should be selected in Settings --> interfaces ???? I currently only have WAN interface according to the opnsense Wiki selected.

I'll try this asap.

Greetings Manuel

manuel · March 01, 2019, 07:49:03 AM

Hello together
I never managed to get IPS up and running on 18.7.9 and suricata 4.0.6. I still only see "Action allowed" in the Alert tab of Intrusion Detection Administration whatever rules (abuse and some opnsense) I have activated. Hardware Offloading on NIC is disabled and WAN and even LAN interface is activated.

Any idea to get also some drop actions?

Thank you very much for your help.

Manuel

IPS only shows allowed actions in alerts

manuel

January 23, 2019, 09:25:36 AM

xmichielx

January 24, 2019, 06:12:41 PM #1

manuel

January 30, 2019, 08:35:29 AM #2

manuel

March 01, 2019, 07:49:03 AM #3