IDS detection unreliability, not sure why - new user.

[scyto]

Hi I am new, so bear with me if i seem extra stupid.

I installed opnsense yesterday for first time, configured for transparent bridging.
I installed the intrusion detection service and tested with www.testmyids.com and got an alert, yay!

I then installed: ET Pro Telemetry ruleset, Snort VRT registered rule set, PT rule set and Sensi (in experimental bridge mode).

I turned off sensi when I saw it was giving me a 50% throughput hit on my 1gig connection.

Now when i go to www.testmyids.com it isn't generating any alert events and I am unsure why.
Any suggestions?

[scyto]

Today I noticed that suricata was detecting threats directed to the WAN interface (rather than the bridge which is made up of LAN / WAN) QED suricata is still working

Maybe i don't understand how the allow logging works - does it log only once per signature per host - no matter how many times that signature it is hit?

[scyto]

Ok, i think there are several things going on here that are contributing to breaks / unreliability

1. i have yet to verify but I think sensi modified the bridge and stopped IPS working - i tore down sensi, reset and reinstalled suricata and deleted and re-created the bridge - that helped.
2. I had poorly formed 'ANY' firewall rules on BR0, LAN and WAN.  Removed WAN and LAN rules and created inbound and outbound rule on BR0 correctly.

This has increased detection, but it is still unreliable, for example if I use the "for i in {1..10}; do curl testmyids.com; done" command it generates maybe one or two alerts in inline opnsense (between CM and router). 

Whereas my routers IPS detects all 10.

Not sure where to start to troubleshoot? 

[scyto]

Here is example of the opnsense failing to detect packets for enabled rules.

the connection is ONT <> opsense in transparent bridge <> UDMP in NAT router.

both are doing IDS not IPS.

https://imgur.com/PzChBHk
https://imgur.com/DhWyA17