Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Migrating from pfsense IDS to opnsense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Migrating from pfsense IDS to opnsense (Read 2237 times)
opnfwforumuser
Newbie
Posts: 1
Karma: 0
Migrating from pfsense IDS to opnsense
«
on:
December 24, 2021, 02:24:32 am »
Hi all. I have recently moved from pfsense and appreciate all of the work done by the opnsense team!
I am running sensei, and also using suricata (services -> intrusion detection) as an IDS listening on LAN to look for problem machines and processes. I periodically review alerts looking for concerning patterns.
I am hoping you might share your preferred workflows for updating rules efficiently. Things I noticed
1. rules reload and restarts are slow and it's hard to know when things are finished without tail -f'ing the logs. This makes it slower when testing and tweaks.
2. I'm not sure on the ordering and interaction between policy, rule adjustments, admin -> rules and admin -> user adjustments. I have reviewed docs.opnsense.org/manual/ips.html and the two linked HOWTOs.
3. I often want to do quick allow/block-list updates. Where would you suggest doing that?
4. I have to go to /var/log for details on alerts. I know about the view option in the alerts tab (which shows up as an edit icon) but I'm not seeing priority, and it misses other information like the dns query target (rrname) which is in eve.log
«
Last Edit: December 24, 2021, 03:29:06 am by opnfwforumuser
»
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: Migrating from pfsense IDS to opnsense
«
Reply #1 on:
December 31, 2021, 02:16:16 am »
For #2 you might find this video useful -
https://www.youtube.com/watch?v=_yIq3GM4gjA
It is somewhat dated but explains the process really well.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Migrating from pfsense IDS to opnsense