How to filter alerts to show things that weren't "action: allowed"

[adfh]

Hey folks,

Relatively new user to OPNsense + Suricata/IDS. Previously had an Asus router running third party firmware, so have come across from the Linux side of the force, to BSD with this.

If I go to:
Services -> Intrusion Detection -> Alerts
... I can see the most recent events, and there's a search box.

One of the columns is "Action", and the vast bulk of entries I see are "Allowed". I wondered if there was a way to filter this list to show me what has been acted upon in some way besides "Allowed"?

[Greg_E]

If you search "blocked" it will show you the blocks only.

[adfh]

Thanks, I'll give that a go ... wasn't sure if there were other actions besides "Allowed", and if it had field specific search I should use.

[adfh]

I've searched for blocked and found nothing. Is it statistically likely my LAN interface'd have no blocked traffic, or do I perhaps need to consider what's enabled, rule wise (I have defaults atm).

[Greg_E]

Do you have any firewall ports open to the internet? If not, then what you are seeing is normal.

Also how many rules are set to block? If none, then you are still normal. And if you changed any to block, did you go back to the rules install page and hit the apply button?

[someone]

I am a newb but
If you are running in IDS mode and not IPS then all you will get is alerts, and allowed
For drops and blocks you have to run IPS mode