OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: everfree on October 30, 2016, 05:21:53 am

Title: None IDS alert trigger for WAN and LAN
Post by: everfree on October 30, 2016, 05:21:53 am: Hi,

I use 16.7.7 and have one special network.

B point 10.87.0.34/30 (gateway)
A point 10.87.0.33/30 (WAN)
Public IP (LAN)
Private IP(NAT)

10.87.0.32/30 and Private IP is outbound nat for LAN Public IP through WAN interface. Public IP is routing through A point WAN to B point gateway. The network traffic is normal. I use IDS and enable ET-TROJAN rules. I try to query qfsl.net and trigger that alert. Only NAT interface is trigger. No alert in WAN and LAN interface.
Title: Re: None IDS alert trigger for WAN and LAN
Post by: franco on October 30, 2016, 05:43:09 pm: Hi everfree,

Are the rules fetched/enabled, was the configuration applied afterwards again? Do you see any alerts in non-IPS mode?

I remember an issue with a test setup that did not work because the Suricata rules use $HOME_NET and its inverse to filter for source/destination, but that also prevents alerts from triggering when testing between two private networks.

I don't quite understand the WAN/LAN/NAT setup, can you please explain?

Cheers,
Franco

SMF 2.0.19 | SMF © 2021, Simple Machines
Privacy Policy