Longshot question… Anyone really know what they are doing with OPNsense IDPS and the policies rules? (Suricata version 7.0.3)
I can’t seem to get my head around why it isn’t dropping connections like my pfsense used to drop things. Documentation on this “new” way of handling Suricata is lacking in the 4 books that I have on the subject. Most things people have are from 21.x which doesn’t use the policies. The few videos on the subject just gloss over all these details. Even the Suricata user guide doesn’t touch on this which makes me think it is an OPnsense thing. I have a post on their forums, no answers after about a week. Seems like it’s black magic and only certain people are allowed to understand and not willing to pass the info on.
And yes, I know that it won’t catch everything with encryption, blah, blah… It still catches a bunch of different types of probes and attacks. Layers of an onion and all that, it costs nothing but electricity to sit out front and block whatever it can block and leave the rest for the next layer.