OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: csmall on January 13, 2017, 03:56:16 am
-
I installed the beta tonight and everything seems to be great.
I'm a little confused by the IDPS though.
I enabled IDS and IPS, checked off some ET rule sets and clicked on enable, downloaded and updated rules, then clicked apply.
All I see in the alerts is stuff like this:
"SURICATA STREAM excessive retransmissions"
"SURICATA TLS invalid record/traffic"
"SURICATA TCPv4 invalid checksum"
"SURICATA STREAM Packet with invalid ack"
"SURICATA STREAM ESTABLISHED invalid ack"
None of these appear to be related to the rule sets I enabled.
I then switched all of the rulesets on the main IDS page to input filter drop, clicked on download and update rules and apply again. I still see nothing but hundreds of the above alerts and none from the ET rulesets.
Am I doing something wrong or is this broken?
Thank you.
-
So I cleared the logs and tried to turn IDS/IPS off and then back on again.
Now I get no alerts. I tried turning just IPS off too and no luck. I get no alerts now. :(
-
I am seeing alerts again... however they are back to the same alerts I mentioned in the original post and nothing from the ET rules I enabled.
I don't get it.
I recently switched to OPNSense from another firewall that was using ET rules and I would see alerts like every 5 to 10 minutes for the same rules.
-
I got rid of 17.1 beta and installed 16.7 production.
Same results. Fresh install and very basic configuration.
I enabled IDS (not IPS yet), applied, enabled some ET rules, downloaded and updated rulesets...
Again, I get alerts like this:
"SURICATA STREAM excessive retransmissions"
But none from the downloaded ET rules. I don't understand why it isn't working.
Any help would be appreciated.