OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: csmall on February 23, 2017, 12:05:26 am
-
I did a fresh install of OPNSense 17.1 last night and then upgraded to 17.1.2 this morning.
It was pretty much default install.
Just now I enabled IDS and IPS, checked off some ET rules that I know were frequently triggered when I was running IPFire with Snort, hit download and install rules, changed them each to drop action and hit download and apply rules again.
Under alerts, all i see is weird suricata alerts with allowed action.
SURICATA STREAM excessive retransmissions
and a bunch of:
SURICATA Applayer Detect protocol only one direction
but no ET or drop alerts.
I don't understand, am i doing something wrong? I had high hopes for the new realtek drivers with suricata.
-
Bump
-
I just turned this one recently and the majority of the items in the IDS alerts tab are these SURICATA STREAM excessive retransmissions messages. I get the occasional SURICATA Applayer Detect protocol only one direction
and even some SURICATA TCPv4 invalid checksum
The invalid checksum seems to be related to the NIC so since I'm running OPNsense in an ESXi VM I changed the host's Net.UseHwTSO setting to "0" to disable this. I'll see if that error goes away over the next day or two.
the Applayer Detect one seems more esoteric since I only found a few links to others having this issue and nothing definitive. Ditto with the Stream Excessive.
Funny I just noticed that under ID >> RULES it just says "loading".
-
Yeah I get a bunch of the suricata alerts but no ET alerts. :(
-
I get a lot of these alerts:
SURICATA Applayer Detect protocol only one direction
Looking HERE (https://suricata.readthedocs.io/en/latest/rules/app-layer.html) it explains this:
Protocol detection only succeeded in one direction. For FTP and SMTP this is expected.
So if you have been using these protocols from your network then you will see these alerts.