IP Blocklists are not working in Suricata

[someone]

I cant get the IP blocklists to work in suricata
1. ET and Dshield blocklists
2. Whether they are multiple individual IPs or ranges
3. They do work if only a single IP in the rule
Has anyone else checked this?

[someone]

When using DHCP, the blocklist rules in suricata do not work
I had two other rules non blocklist pop up but may have been a fluke, will keep checking
I went from no blocks, to 1100 blocks in 3 hours
Get the blocklists online first, very important
I am hit every 5 seconds by hacker bots
Will make another post how to see that in packets
Work around was change all $HOME_NET to any in all the blocklist rules
And they start working, i got over 1100 hits in 3 hours
They are bot nets, automated IP spoofing attack servers.
You may have just heard they attacked cloudflare servers
Trillions of packets per second, many of which were from hacked home routers
Only change the IPblocklists for now.
If you do this, it is at your own risk
I will make another post which names those are shortly
I will show how to do easy checks
Dont do this if you dont know how, dont ruin your setup
Dont do this if you cant reload your system
I am counting on opnsense help once we get it figured out
This is for testers to check out and verify to get started
One guess is that there is nothing to define $HOME_NET in the suricata yaml in DHCP mode
Thanks

[someone]

This is what I think is happening
Well Ive kinda exhausted testing rules.
I could not get the IPS rules to work as is.
Blocklists do not work
Note I had two rules hit previous to all testing, dont know how, ssh on wrong port
But only two, microsoft spoofed IPs trying to break in
I saw other bad IPs coming in back then but they were never blocked
Since Ive had  tens of thousands of hits, yes they are all real, not flukes
I had 10, 000 this morning in minutes because DNS got hijacked
Learned how to set DNS in the operating system under ethernet connection, helped
All were on the blocklists
This is what I do to fix it
By changing $HOME_NET to any
Do this at your own risk, you have to know how to recover your system
And how to re install your system, if it gets messed up, being I test it
I mess it up frequently, roughly explained
in browser gui enable ssh in settings, three check boxes, apply
From command line, sftp into lan ip of browser
download rules directory from /usr/local/etc/suricata/rules
get -R /usr/local/etc/suricata/rules /home/blah/
chmod -R 777 rules
open each ruleset and change $HOME_NET to any
I use search and replace
Some rulesets dont change, like I dont use http rules, port is never open
Save rulesets in rules directory, upload directory back into router
put -R /home/blah/rules /usr/local/etc/suricata/rules
the rules actually never leave the router, but when sending them back with put, will overwrite them
all sftp doing this
go back to gui and click apply rules, wait 10 minutes before doing anything else
I dont know how this would effect hardware routers, I dont know if they have enough storage
I run a computer as a router, not embedded, the computer is a router with 1TB plus RAM
Will wait on opnsense for a fix
remember do this at your own risk
Now for $EXTERNAL_NET do not change
$EXTERNAL_NET is implied to already be any
Whereas $HOME_NET is looking for an IP or range as I understand it
I am posting this to help opnsense, I will watch for a solution in their updates

[someone]

my router faces the internet, no gateway in front
no 192.168 incoming
Its my actual IP
dont know if that makes a difference

[someone]

come to think of it, no it doesnt make a difference
i started with opnsense behind the ISP router
untill they destroyed the ISP router