[SOLVED] Intrusion detection documentation

[DoubleJ]

Does anyone know where to find any information, documentation or help files on opnsense's intrusion detection?

thnx in advance

[franco]

Hi there,

the feature is "quite" new and was rebuilt from the ground up, we don't have more documentation than what is scattered around the forum I fear. Are you looking for a specific piece of info or just a general introduction?


Cheers,
Franco

[DoubleJ]

I'm interested introduction. What is the functionality of the service? does it block or only registers? What are rulesets? what is the diff with the rules tab? what does every rule or ruleset do (criteria?) ?

I want to understand the service; decide whether it is useful in my situation and if so, what config options are of interest.

[franco]

Jos is working on new material, I'll ask if he has this planned already. Thanks for your feedback.

[franco]

This is what I could gather from a rather busy Jos:

No I don’t have anything for IDS, but the current IDS is straight forward just enable a ruleset and then you can apply individual rules or keep the defaults. Currently it only generates alerts, visible in the Alert tab.. that is it.. testing it will take 5-10 minutes ;-)

For 16.1 it will become a little bit more difficult as then you should be able to change the behavior from alert to block.

[DoubleJ]

Ok thnx, I'll play around with it.

[jschellevis]

Documentation has been updated for many topics including the IDP and inline IPS solution.

See: https://docs.opnsense.org/manual/ips.html