I'd like to do a demonstration of the IDS detecting a DoS attack. I'm doing this in a virtualised environment in Proxmox.
I enabled the IDS, downloaded and enabled the relevant ruleset and rules. (I was the most interested in the GoldenEye attack, so I replaced the $EXTERNAL_NET any at the beginning of the rule with any any, because I was planning to do the attack from within the local network.) It worked perfectly when I directed the attack at the internal IP address of the OPNsense machine, but it didn't alert when I tried to attack another machine in the local network.
I tried disabling the 3 options of offload in interface settings, then enabling Promiscuous mode and adding my home network address in the settings of the IDS (then removing the other addresses), and putting the LAN interface in Promiscuous mode (in Interfaces > [LAN]). I tested the attack against the target machine after every change to see if I get an alert, but I didn't.
What could be the problem? What can I do to fix it? Thanks for your answers!
Hosts in the same Layer2 Broadcast domain discover each other via ARP and talk to each other directly without using the router.
For this to work the OPNsense must become a large bridge with 1 interface per client.