IDS alert logs [Solved]

Started by pankaj, December 28, 2021, 06:19:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 28, 2021, 06:19:33 AM Last Edit: January 02, 2022, 03:26:15 AM by pankaj
Hi,

While viewing the alerts for IDS, I am trying to exclude on IP address (192.168.10.8) from the displayed entries. It is my understanding that the filter text box on the top right hand corner supports regex so tried using following combinations:


  • [^192.168.10.8]
  • /^(?!.*192.168.10.8 ).*/

But neither of the scenarios worked properly, is there anything wrong with the regex above?
December 29, 2021, 09:21:34 AM #1
Hi
imho regex is not supported on this filter.
it sanitized with
Code Select
preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#]/", "", $value);
at backend and adds wildcards to search string.
so you actualy have *192.168.10.8* instead of [^192.168.10.8]
December 31, 2021, 02:13:48 AM #2
Thanks for clarifying!
December 31, 2021, 03:18:14 AM #3
So is their a way to filter display entries on alerts tab?

Or is the a log file that I can tail from command line and use regex?
December 31, 2021, 03:47:32 AM #4
As per Suricata team there are ways to suppress false positives - https://forum.suricata.io/t/suppress-alerts-around-known-false-positive/1919/2

But I unable to figure out how to implement this in OPNSense.

https://imgur.com/a/cmQ3Vm7
December 31, 2021, 09:40:07 AM #5
not in gui imho
i think "threshold-file:" is not enabled by default
but you can try to add "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file
January 02, 2022, 03:09:04 AM #6 Last Edit: January 02, 2022, 03:25:56 AM by pankaj
I found the actual threshold.conf file at /usr/local/etc/suricata

and it follows the same syntax the Suricata team suggested!

Thanks for your pointers!
Print
Go Up Pages1
User actions