Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to filter alerts to show things that weren't "action: allowed"
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to filter alerts to show things that weren't "action: allowed" (Read 1273 times)
adfh
Newbie
Posts: 3
Karma: 0
How to filter alerts to show things that weren't "action: allowed"
«
on:
May 26, 2024, 07:58:06 am »
Hey folks,
Relatively new user to OPNsense + Suricata/IDS. Previously had an Asus router running third party firmware, so have come across from the Linux side of the force, to BSD with this.
If I go to:
Services -> Intrusion Detection -> Alerts
... I can see the most recent events, and there's a search box.
One of the columns is "Action", and the vast bulk of entries I see are "Allowed". I wondered if there was a way to filter this list to show me what has been acted upon in some way besides "Allowed"?
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: How to filter alerts to show things that weren't "action: allowed"
«
Reply #1 on:
May 28, 2024, 03:47:04 pm »
If you search "blocked" it will show you the blocks only.
Logged
adfh
Newbie
Posts: 3
Karma: 0
Re: How to filter alerts to show things that weren't "action: allowed"
«
Reply #2 on:
May 29, 2024, 11:22:12 am »
Thanks, I'll give that a go
... wasn't sure if there were other actions besides "Allowed", and if it had field specific search I should use.
Logged
adfh
Newbie
Posts: 3
Karma: 0
Re: How to filter alerts to show things that weren't "action: allowed"
«
Reply #3 on:
May 29, 2024, 11:23:44 am »
I've searched for blocked and found nothing. Is it statistically likely my LAN interface'd have no blocked traffic, or do I perhaps need to consider what's enabled, rule wise (I have defaults atm).
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: How to filter alerts to show things that weren't "action: allowed"
«
Reply #4 on:
May 29, 2024, 03:20:13 pm »
Do you have any firewall ports open to the internet? If not, then what you are seeing is normal.
Also how many rules are set to block? If none, then you are still normal. And if you changed any to block, did you go back to the rules install page and hit the apply button?
Logged
someone
Full Member
Posts: 115
Karma: 2
Re: How to filter alerts to show things that weren't "action: allowed"
«
Reply #5 on:
June 08, 2024, 11:40:19 pm »
I am a newb but
If you are running in IDS mode and not IPS then all you will get is alerts, and allowed
For drops and blocks you have to run IPS mode
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to filter alerts to show things that weren't "action: allowed"