Messages

what about the business release?

Why is it happening? and how can i fix that?

System -> Firmware -> Mirror -> Deciso (HTTPS, NL, Commercial)
IPv6 -> disabled
Unbound DNS -> yes
Kea DHCP -> yes


System -> Firmware -> Run an audit -> Connectivity Check:

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.4.1 (amd64) at Sun Jun 22 14:06:02 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=55 time=37.200 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=55 time=22.135 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=55 time=23.714 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=55 time=22.244 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.135/26.323/37.200/6.311 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 875 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS ECC CA G1
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
***DONE***


Thanks for the suggestion. I actually already tried that using curl, but it didn't trigger anything in OPNsense.

Hey everyone,

I recently enabled Suricata IDS on my setup, and I'm running into a couple of issues that I'm not sure how to properly diagnose or fix.

First off, I'm not seeing any alerts, even though I suspect my network isn't totally clean.

I did enter the et_telemetry.token under Services > Intrusion Detection, and I can confirm Suricata is running.

However, just enabling it doesn't seem to make it actually do anything useful — or at least I'm not getting any alerts/logs that indicate it's catching threats.

Additionally, I'm seeing a bunch of flowbit-related warnings in the logs, like these:

Code Select Expand

2025-06-08T06:36:45 Notice suricata [100780] <Notice> -- Threads created -> W: 16 FM: 1 FR: 1   Engine started.
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2015657 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2025-06-08T06:30:32 Notice suricata [100780] <Notice> -- Syslog: facility local5, level Info, ident suricata
2025-06-08T06:30:31 Notice suricata [100460] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

It looks like certain rules are being loaded that rely on other rules setting flowbits that aren't active?

So I have a few questions I hope someone can help me with:

How can I confirm that Suricata is actively inspecting traffic and generating alerts correctly?
Is there a step-by-step tutorial or test method (e.g. safe malicious payload or simulated attack) I can use?

Do I need to manually enable or add the rules that set these flowbits? Or is this normal?

Is there a known-good ruleset I should be using (e.g. Emerging Threats Open vs. Pro) that avoids this issue?

Would appreciate any help or pointers — just trying to make sure this is actually working and not just burning CPU for no reason 😅

Thanks in advance!