How to filter alerts to show things that weren't "action: allowed"

Started by adfh, May 26, 2024, 07:58:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 26, 2024, 07:58:06 AM
Hey folks,

Relatively new user to OPNsense + Suricata/IDS. Previously had an Asus router running third party firmware, so have come across from the Linux side of the force, to BSD with this.

If I go to:
Services -> Intrusion Detection -> Alerts
... I can see the most recent events, and there's a search box.

One of the columns is "Action", and the vast bulk of entries I see are "Allowed". I wondered if there was a way to filter this list to show me what has been acted upon in some way besides "Allowed"?
May 28, 2024, 03:47:04 PM #1
If you search "blocked" it will show you the blocks only.
May 29, 2024, 11:22:12 AM #2
Thanks, I'll give that a go :) ... wasn't sure if there were other actions besides "Allowed", and if it had field specific search I should use.
May 29, 2024, 11:23:44 AM #3
I've searched for blocked and found nothing. Is it statistically likely my LAN interface'd have no blocked traffic, or do I perhaps need to consider what's enabled, rule wise (I have defaults atm).
May 29, 2024, 03:20:13 PM #4
Do you have any firewall ports open to the internet? If not, then what you are seeing is normal.

Also how many rules are set to block? If none, then you are still normal. And if you changed any to block, did you go back to the rules install page and hit the apply button?
June 08, 2024, 11:40:19 PM #5
I am a newb but
If you are running in IDS mode and not IPS then all you will get is alerts, and allowed
For drops and blocks you have to run IPS mode
Print
Go Up Pages1
User actions