I’m using Suricata on an OPNSense machine at home and after reviewing the alerts realized that Synology NAS is hardcoded to make calls to QuickConnect.to domain for user convenience.
On my intrusion detection rules the .to TLD is blocked and hence the alert was generated. It was quiet insightful to even know that what my NAS is doing!
But these alerts are still clogging the UI in OPNSense, is there a way to enforce a policy that will either not log these alerts or just drop them from the UI?
The first (suppress) will not generate an alert for the rule 2802104 for IP 192.168.0.54 at all.
The second (threshold) will only generate an alert for rule 2013504 at most once per ten minutes per IP.
You would place these lines in your threshold.config. Not sure if OPNsense GUI has a straightforward way to do that or that you need to dive into the CLI.
I did find the threshold.conf file on OPNsense at /usr/local/etc/suricata.
This is working for me and I see lot less of entries causing noise in the alerts!