OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: cancino on May 07, 2019, 06:19:31 pm

Title: Intrusion detection no showing alerts
Post by: cancino on May 07, 2019, 06:19:31 pm

Hi all
I activate Intrusion Detection, but I do not see alerts.

OPNsense 19.1.7-amd64
suricata 4.1.4

my config:
 Enabled [X]
 IPS mode  [ ]
 Promiscuous mode [X]

 Pattern matcher  Hyperscan

 Interfaces  [WAN]


the only thing I see in the log is this warning:

OPNsense meerkat: [101053] <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE (317)] - in 5.0 the default for decoder event stats will go from 'decoder. <Proto>. <Event>' to 'decoder.event. <Proto >. <event> '. See ticket # 2225. To suppress this message, set stats.decoder-events-prefix in the yaml.

Can you help me please?

Title: Re: Intrusion detection no showing alerts
Post by: hbc on May 07, 2019, 06:35:49 pm

Do you have any rulesets enabled and downloaded? Did you trigger something that should generate an alert?

Title: Re: Intrusion detection no showing alerts
Post by: cancino on May 07, 2019, 06:43:37 pm

Yes, I downloaded all the rules and enabled them

Title: Re: Intrusion detection no showing alerts
Post by: hbc on May 07, 2019, 06:45:37 pm

And did you generate traffic that should match rules and create alerts?
No alerts can just mean that no suspicious traffic is present, what would be great.

Title: Re: Intrusion detection no showing alerts
Post by: cancino on May 07, 2019, 07:00:52 pm

I will put it in a test network to validate the installation.
Thank you very much for the help

Title: Re: Intrusion detection no showing alerts
Post by: alexey on August 05, 2019, 12:54:53 pm

Hi.
I have the same issue with OPNSense 19.7.1-amd64 FreeBSD 11.2-release-p11-HBSD.
I try to use Suricata (4.1.4_3) on VMWare virtual machine (ESXi 6.5). Network card that I use is VMXNET3 with inheritance in Promiscuous mode inherited from Virtual switch. (-WAN interface)
My Config  :  Enabled

                   IPS mode []
                   Promiscuous mode

                   Pattern matcher [Aho-Corasick]
                   Interface [WAN]
Some Rulesets were installed and rules enabled (ET open/emerging-icmp,icmp_info,scan,sql,misc).
I tried to test system by ping request and by port 1433 scanning and did not received in this configuration any Alerts.
Rules for check - "ET SCAN Suspicious inbound to MSSQL port 1433"
and      "Protocol-ICMP Ping"

Any hints, ideas? What's wrong?
thanks

Title: Re: Intrusion detection no showing alerts
Post by: bunchofreeds on August 05, 2019, 11:07:55 pm

Does it alert on the LAN interface?

I cannot use WAN as I use PPPoE, which unfortunately does not work with IPS on FreeBSD.
There was some effort in resolving this in the past, but it seems to have dropped down the priority list.

LAN when using IPS works fine in my situation however. WAN would just be 'nice to have'

Title: Re: Intrusion detection no showing alerts
Post by: alexey on August 06, 2019, 03:07:53 pm

It's WAN interface.(Virtual netcard).
I installed PFSense in the same VM configuration and Suricata works fine.
Also, if instead of Virtual network card I use physical network card, like WAN interface, OPNsense Suricata works perfectly.
I will be appreciate for any ideas.