OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: marcus on August 26, 2025, 08:35:10 PM

Title: What is the proper way to verify that Suricata is ready to inspect traffic?
Post by: marcus on August 26, 2025, 08:35:10 PM
I'm trying to make sure that my test processes are being conducted correctly.

I've been monitoring the suricata process with top from a root shell and I've noticed that it is still quite busy after the Web UI has shown things like saving or applying settings has completed, or after the box beeps the speaker to signal that it's finished booting.

I've had no luck finding an answer to this with a web search.

Is the log file a reliable indicator?

Thanks -
Title: Re: What is the proper way to verify that Suricata is ready to inspect traffic?
Post by: someone on September 30, 2025, 02:52:59 AM
Yes the logs are good.
Then verify suricata is working.
Under user defined rules, make a rule
Source 1.1.1.1 or 8.8.8.8, whichever one you dont use in DNS
Action drop
save or apply
wait till it finishes by checking log that rules are completed
or about 5 minutes
ping 1.1.1.1 or 8.8.8.8 from a terminal, ctl c to stop
check alerts, check log
should see it dropped
delete rule
save or apply