OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: soleilblanc on February 20, 2019, 01:36:10 pm

Title: IPS/Suricata does not show alerts in 19.1
Post by: soleilblanc on February 20, 2019, 01:36:10 pm

Hello All,

Under IDS/Administration/Alerts, the logs are rotating but show empty since the upgrade to 19.1 (system was rock solid before the upgrade).
The /var/log/suricata/eve.json are empty, the stats.log accumulate the starts as normal.

So far, i've restarted the service, deactivated syslog and re-activated it.

under the IDS/Log file i see those errors
ERRCODE: SC_WARN_FLOWBIT(306)

Any help is appreciated

Jon

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: bmail on February 20, 2019, 02:02:03 pm

Hello,

Try to deactivate Snort VRT rules.
I was using the 29120 version, and it seems suricata does not love it.
Since giving up snort rules, no more ERRCODE: SC_WARN_FLOWBIT(306) and suricata just works well.

Bertrand

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: donatom3 on February 20, 2019, 11:08:54 pm

I have the same issue and I don't have the snort rules even installed. I'm using the ET Telemetry edition with a couple of the opnsense rules.

No error in the log for suricata either that I could see. I even tried causing some alerts by using the opnsense social media ruleset and it won't pickup anything in the log either.

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: soleilblanc on February 21, 2019, 03:34:06 am

Only using some abuse and some ET for rulesets.  So no snort here either.

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: crt333 on March 05, 2019, 12:30:45 am

I'm surprised this thread went quiet because I'm still not seeing alerts on 19.1.2, except for "ET INFO Session Traversal Utilities for NAT (STUN Binding Request)". That's the only thing I saw all of Feb, while usually I see a lot of activity in the alerts list.

Using ET Telemetry and abuse.ch rules, tried both Aho-Corasick and Hyperscan, no difference.

Did it start working for the other people that posted here?

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: soleilblanc on March 05, 2019, 02:28:38 am

Still broken here.  Since there's so few answers, i'll probably do a fresh install over a weekend and restore my backup.  I suspect it may not impact everyone so likely something got weird in the upgrade process to 19.

I'll follow up my post when/if i have resolve.

Sol

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: newsense on March 05, 2019, 04:52:11 am

I just noticed the same behavior, tried reinstalling but nothing changed

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: Mks on March 05, 2019, 06:09:08 am

Same issue here, started also a thread https://forum.opnsense.org/index.php?topic=11901.0

br

Title: Re: IPS/Suricata does not show alerts in 19.1
Post by: soleilblanc on May 30, 2019, 09:05:34 pm

Still didnt have time to get around doing an upgrade.

My setup does not use pppoe, it's plain ethernet from the modem so IPS should be working.

Sol