I currently have two WAN connections we'll call them Primary and Backup. I only use the Backup connection in the event the Primary is down since the Backup is metered LTE. I've been using Suricata for however long I've been on OPNsense maybe a year now. It's been just fine or so I thought. Today I powered down the modem for my Primary connection temporarily for maintenance. During that time (about 45 min) I got over 400 IPS/IDS alerts. I do typically get maybe 1 or 2 alerts every week(ish). It looks to me like even though I only have a singular policy and both WAN interfaces selected it may only be monitoring my Backup connection.
Edit: Wanted to say these were all false positives from internal traffic traversing the external interfaces. So I'm not worried about that, it just needs tuned. However I worry this same traffic wasn't detected on the Primary interface makes me things it's broke or misconfigured somehow.
Anyone have any thoughts on what is going on?