OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Threshold.config does not seem active [Solved]
« previous next »
  • Print
Pages: [1]

Author Topic: Threshold.config does not seem active [Solved]  (Read 2048 times)

pankaj

  • Full Member
  • ***
  • Posts: 117
  • Karma: 5
    • View Profile
Threshold.config does not seem active [Solved]
« on: January 08, 2022, 05:10:48 pm »
Hi,

I am trying to add few threshold limits to reduce the frequency of alerts generated by few rules. On OPNSense, I see following files:

Code: [Select]
root@OPNsense:~ # cd /usr/local/etc/suricata/
root@OPNsense:/usr/local/etc/suricata # ls -a
. rule-policies.config
.. rule-updater.config
classification.config rules
classification.config.sample rules.config
custom.yaml suricata.yaml
installed_rules.yaml suricata.yaml.sample
opnsense.rules threshold.config
reference.config threshold.config.sample
reference.config.sample

Within threshold.config, I placed one line:
Code: [Select]
threshold gen_id 1, sig_id 2027757, type threshold, track by_src, count 1, seconds 300

And restarted IDS  (& OPNSense) as you can see in the alert log below, the rule does not seem to be working as a single host is generating several alerts few seconds part:

https://imgur.com/a/mGwpyTF

If anyone has any idea what I am doing wrong here or missing on something obvious, please let me know.

Thanks.







« Last Edit: January 08, 2022, 07:36:27 pm by pankaj »
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: Threshold.config does not seem active
« Reply #1 on: January 08, 2022, 06:29:27 pm »
Hi
did you try https://forum.opnsense.org/index.php?topic=26144.msg126264#msg126264 ?
(adding "threshold-file" directive to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml file pointig to your thresholds config file)
Logged

pankaj

  • Full Member
  • ***
  • Posts: 117
  • Karma: 5
    • View Profile
Re: Threshold.config does not seem active
« Reply #2 on: January 08, 2022, 06:37:26 pm »
@Fright thanks!

No I skipped that step and might be the reason for this problem.

The problem seemed solved with following steps:

1. In /usr/local/opnsense/service/templates/OPNsense/IDS, edited custom.yaml file and added:

Code: [Select]
include: threshold.config
2. Stopped Suricata from the UI
3. Watched the logs from command line
Code: [Select]
root@OPNsense:/usr/local/opnsense/service/templates/OPNsense/IDS # /usr/local/etc/rc.d/suricata start
Starting suricata.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file installed_rules.yaml.
8/1/2022 -- 10:29:39 - <Info> - Configuration node 'rule-files' redefined.
8/1/2022 -- 10:29:39 - <Info> - Including configuration file custom.yaml.

The alert logs seems to be holding without any repetitive entries for the rules mentioned in threshold.config.

Thanks  8)
« Last Edit: January 08, 2022, 07:35:57 pm by pankaj »
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: Threshold.config does not seem active [Solved]
« Reply #3 on: January 08, 2022, 08:04:50 pm »
glad it works )
I would just add a
Code: [Select]
threshold-file: /usr/local/etc/suricata/threshold.configto the custom.yaml file and add thresholds to the threshold.config but apparently your method also works  ;)
 
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Threshold.config does not seem active [Solved]
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2