"
Thanks for the suggestion. I actually already tried that using curl, but it didn't trigger anything in OPNsense.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Production Series / Re: No IDS Alerts + Flowbit Warnings – How to Properly Test If Suricata is Working?
June 08, 2025, 09:59:34 PM #2
25.1, 25.4 Production Series / No IDS Alerts + Flowbit Warnings – How to Properly Test If Suricata is Working?
June 08, 2025, 03:06:34 PMHey everyone,
I recently enabled Suricata IDS on my setup, and I'm running into a couple of issues that I'm not sure how to properly diagnose or fix.
First off, I'm not seeing any alerts, even though I suspect my network isn't totally clean.
I did enter the et_telemetry.token under Services > Intrusion Detection, and I can confirm Suricata is running.
However, just enabling it doesn't seem to make it actually do anything useful — or at least I'm not getting any alerts/logs that indicate it's catching threats.
Additionally, I'm seeing a bunch of flowbit-related warnings in the logs, like these:
Code Select
2025-06-08T06:36:45 Notice suricata [100780] <Notice> -- Threads created -> W: 16 FM: 1 FR: 1 Engine started.
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2015657 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2025-06-08T06:30:32 Notice suricata [100780] <Notice> -- Syslog: facility local5, level Info, ident suricata
2025-06-08T06:30:31 Notice suricata [100460] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
It looks like certain rules are being loaded that rely on other rules setting flowbits that aren't active?
So I have a few questions I hope someone can help me with:
How can I confirm that Suricata is actively inspecting traffic and generating alerts correctly?
Is there a step-by-step tutorial or test method (e.g. safe malicious payload or simulated attack) I can use?
Do I need to manually enable or add the rules that set these flowbits? Or is this normal?
Is there a known-good ruleset I should be using (e.g. Emerging Threats Open vs. Pro) that avoids this issue?
Would appreciate any help or pointers — just trying to make sure this is actually working and not just burning CPU for no reason 😅
Thanks in advance!
Pages1
