diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf
index 35c6fd724..1d04c4bb3 100644
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -23,6 +23,7 @@
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
+/nsm/idh/*.log
 {
     {{ logrotate_conf | indent(width=4) }}
 }
diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml
index 9e6268fc6..2b6a9fe8e 100644
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -4,7 +4,7 @@ idh:
       http.banner: Apache/2.2.34 (Ubuntu)
       http.enabled: true
       http.port: 80
-      http.skin: basicLogin
+      http.skin: nasLogin
       http.skin.list:
       - desc: Plain HTML Login
         name: basicLogin
diff --git a/salt/idh/plays/idh_ftp.yml b/salt/idh/plays/idh_ftp.yml
index 4da18b204..09480ef75 100644
--- a/salt/idh/plays/idh_ftp.yml
+++ b/salt/idh/plays/idh_ftp.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 2000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_git.yml b/salt/idh/plays/idh_git.yml
index b972f6fdd..569741818 100644
--- a/salt/idh/plays/idh_git.yml
+++ b/salt/idh/plays/idh_git.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 16001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_http.yml b/salt/idh/plays/idh_http_get.yml
similarity index 77%
rename from salt/idh/plays/idh_http.yml
rename to salt/idh/plays/idh_http_get.yml
index 2dd9377b0..6a5586fc2 100644
--- a/salt/idh/plays/idh_http.yml
+++ b/salt/idh/plays/idh_http_get.yml
@@ -1,7 +1,7 @@
 title: SO IDH - HTTP Accessed
 id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
 status: experimental
-description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+description: Detects when the HTTP service on a SO IDH node has had a Get request.
 author: Security Onion Solutions
 license: MIT
 references: 
@@ -12,9 +12,11 @@ logsource:
 detection:
   selection:
     logtype:
-    - 3000 #Get request
-    - 3001 #Login attempt
-  condition: selection
+    - 3000
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_http_login.yml b/salt/idh/plays/idh_http_login.yml
new file mode 100644
index 000000000..795372844
--- /dev/null
+++ b/salt/idh/plays/idh_http_login.yml
@@ -0,0 +1,24 @@
+title: SO IDH - HTTP Login Attempt
+id: 19449e62-93fa-40bd-8d0a-2564535d3652
+status: experimental
+description: Detects when the HTTP service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 3001
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_httpproxy.yml b/salt/idh/plays/idh_httpproxy.yml
index a5af69304..1321f2067 100644
--- a/salt/idh/plays/idh_httpproxy.yml
+++ b/salt/idh/plays/idh_httpproxy.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 7001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_mssql.yml b/salt/idh/plays/idh_mssql.yml
index 728d61b04..8ff832bba 100644
--- a/salt/idh/plays/idh_mssql.yml
+++ b/salt/idh/plays/idh_mssql.yml
@@ -14,7 +14,10 @@ detection:
     logtype:
     - 9001 #SQL Auth
     - 9002 #Windows Auth
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_mysql.yml b/salt/idh/plays/idh_mysql.yml
index 085b2c293..492e7409d 100644
--- a/salt/idh/plays/idh_mysql.yml
+++ b/salt/idh/plays/idh_mysql.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 8001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_ntp.yml b/salt/idh/plays/idh_ntp.yml
index eb9b7d1f9..8b54771d4 100644
--- a/salt/idh/plays/idh_ntp.yml
+++ b/salt/idh/plays/idh_ntp.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 11001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_redis.yml b/salt/idh/plays/idh_redis.yml
index 2746c9514..034752912 100644
--- a/salt/idh/plays/idh_redis.yml
+++ b/salt/idh/plays/idh_redis.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 17001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_sip.yml b/salt/idh/plays/idh_sip.yml
index 1d3c2ea6f..c9a1b4bb0 100644
--- a/salt/idh/plays/idh_sip.yml
+++ b/salt/idh/plays/idh_sip.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 15001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_smb.yml b/salt/idh/plays/idh_smb.yml
index 5b9e8b8c6..96110cc42 100644
--- a/salt/idh/plays/idh_smb.yml
+++ b/salt/idh/plays/idh_smb.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 5000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_snmp.yml b/salt/idh/plays/idh_snmp.yml
index 4c61b110d..e6d39425e 100644
--- a/salt/idh/plays/idh_snmp.yml
+++ b/salt/idh/plays/idh_snmp.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 13001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_ssh.yml b/salt/idh/plays/idh_ssh.yml
index 87f1af144..be4b6bd2f 100644
--- a/salt/idh/plays/idh_ssh.yml
+++ b/salt/idh/plays/idh_ssh.yml
@@ -15,7 +15,10 @@ detection:
     - 4000 
     - 4001
     - 4002
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_telnet.yml b/salt/idh/plays/idh_telnet.yml
index c1f490c72..5c91ac1e9 100644
--- a/salt/idh/plays/idh_telnet.yml
+++ b/salt/idh/plays/idh_telnet.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 6001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_tftp.yml b/salt/idh/plays/idh_tftp.yml
index aa68d6c87..a7ce4bdbc 100644
--- a/salt/idh/plays/idh_tftp.yml
+++ b/salt/idh/plays/idh_tftp.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 10001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/salt/idh/plays/idh_vnc.yml b/salt/idh/plays/idh_vnc.yml
index e26f3fc8a..ee840a4d3 100644
--- a/salt/idh/plays/idh_vnc.yml
+++ b/salt/idh/plays/idh_vnc.yml
@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 12001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:
diff --git a/setup/so-functions b/setup/so-functions
index 91244a7cc..4c393cabf 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -451,7 +451,7 @@ collect_idh_services() {
 	whiptail_idh_services
 
 	case "$idh_services" in
-		'Linux Webserver')
+		'Linux Webserver (NAS Skin)')
 			idh_services=("HTTP" "FTP" "SSH")
 		;;
 		'MySQL Server')
diff --git a/setup/so-whiptail b/setup/so-whiptail
index b993ca471..6e06c85ba 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -732,10 +732,10 @@ whiptail_idh_services() {
 
 	idh_services=$(whiptail --title "$whiptail_title" --radiolist \
 		"\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \
-		"Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \
+		"Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \
 		"MySQL Server" "MySQL (3306), SSH (22)" OFF \
 		"MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \
-		"Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 )
+		"Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 )
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1784,6 +1784,8 @@ whiptail_setup_complete() {
 			local sentence_prefix="Run so-allow after reboot to access"
 		fi
 		local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n"
+	elif [[ $is_idh ]]; then
+		local accessMessage="SSH for this node has been moved to TCP/2222, accessible only from the Manager node."
 	else
 		local accessMessage=""
 	fi