IPBlocklists Not Working - Solved Need Opnsense help

[someone]

IPBlocklists and large amounts of rules are not working
Maybe 70 percent are not functioning
Problem, no access to suricata yaml to program $HOME_NET and $EXTERNAL_NET in the rules
Unless there is something I am missing
Fix ... replace $HOMENET and EXTERNAL_NET manually in the rules
Change these to .... any
IPBlocklists start working
Spamhaus rules start working
Abuse rules start working
Warning, doing this all at once, I could not get back on the net
will have to figure that one out nextI had packets coming and going,
Thats how I saw all these rules start working, I get about 100 threats in ten minutes
But I couldnt go anywhere in the browser
Do not do this unless you know how, and are willing to reload many times
Untill we can get opnsense to come up with a fix
Abuse rules has over 70.000 rules in that one file
So I used search and replace
From this example
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:" Known malware download URL detected; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/,relative; metadata:created_at 2024_09_30; reference/; classtype:trojan-activity;sid:********; rev:1;)

To this
alert http any any -> any any (msg:" Known malware download URL detected; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/,relative; metadata:created_at 2024_09_30; reference:; classtype:trojan-activity;sid:*******; rev:1;)

Not a complete real rule, just an example
My home made block lists started working also and many of the hits were in some of the other threat rules already
I had some IPs blocked by six rules, four were mine not checking for duplicates yet

[someone]

Is there something like a static IP we are supposed to enter somewhere that defines $HOME_NET and gets put into the suricata yaml. Let me know if I missed this. Thanks

[someone]

I should mention $HOME_NET in the rules should be your IP address or range
And $EXTERNAL_NET I believe was recommended to be any which was leave blank in the yaml
But I am not so sure it works the same here, because you do want it any
Any outbound or inbound traffic most of the time unless networking or something
I might have missed something or are unaware of a place to do that
If I missed it the default should have been any which would work in most cases
And it would have a description in the GUI maybe
Oh and this is a follow up of previous posts
One of importance was that we cannot manually change the suricata yaml
Good thing because of bad guys
It resets any changes at reboot
But the setting defining IP for $HOME_NET will need to be coded in somewhere
I have found so many options I wasnt aware of in opnsense, which is great and gets better

[someone]

OK Update
Dont change $EXTERNAL_NET
I got the new rules and changed Abuse rulesets, dshield, and bot rulesets
I changed $HOME_NET to any
Working great
Had 127 hits on their rules in ten minutes
They were not working before I changed $HOME_NET to any
Yes my IP range is getting hit by bots, a plague of unsolicited sync packets
These packets are looking for a way into your system
If they get an alert, unlike ours, they look for vulnerabilities
They start a certain hacking method
This got my rules working
This is a fresh install, no major changes
If anyone has an idea of another way to fix it, or if I missed something
please let me know, thanks everyone

[someone]

Update and last post in this section
Will post results under the Intrusion Detection section
A note, there is a box which declares static or DHCP under interfaces wan
When using DHCP, there are many rules which do not work
Will post updates, show how, show work around, in IPS section
Which rules work and which dont
Thought I would post here first due to the static, DHCP box being more of
an opnsense thing than IPS
If you do any changes it is at your own risk
Have to know how to reinstall system
I have to do it a lot since I am testing this
One thing to note
I get about 10 hits in 5 minutes from downloaded rulesets
I get a hit every 5 seconds from my custom ruleset
Being partly community snort IPs and mostly hits in my IP range
I run a combination and get hits on them all mostly
Thanks

[someone]

Suricata rulesets are working
ET rulesets , not yet
may be some legalities since they are copy protected and licensed
May be some decisions to be made, workarounds, etc
I am sure they are working on it