Hello everyone,
I am currently using OPNsense to separate a test network from our intranet.
At the moment, I am struggling with the successful configuration of IDS/IPS/Suricata. Specifically, it fails the test with Eicar in the unencrypted version, i.e., HTTP.
My configuration for IDS/IPS/Suricata is as follows:
- Enabled √
- IPS mode √
- active on both Interfaces, LAN & WAN
- WAN and LAN are included in "home networks"
In Intrusion Detection/Administration/Downloads the rule "OPNsense-App-detect/test" is enabled and downloaded. No other rules are enabled or even downloaded.
In Intrusion Detection/Administration/Rules, opnsense.test.rules is also enabled with the default action "Alert".
A policy for this rule valid for the actions/conditions "Alert" & 'Drop' resulting in the new action "Drop" has been created and applied.
If I run "curl http://pkg.opnsense.org/test/eicar.com.txt" from the test network, it goes through without any problems and I see it under the alerts, unfortunately with "Action: Allowed" – despite the active policy that should turn 'Alert' into "Drop."
If I manually change the test rule to "Drop," it is immediately dropped. I can't figure out why the policy isn't working.
Have I taken a wrong turn somewhere, am I overlooking something?
Thank you very much for any food for thought.