IDS/IPS doesn't give any log

Started by erica.vh, September 22, 2025, 04:03:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 22, 2025, 04:03:24 PM
Hello,
Not directly related to 25.7.4, as it was already the same in previous versions.
I have no log, neither in Service -> Intrusion detection -> Log file, nor in Service -> Intrusion detection -> Alerts

In Service -> Intrusion detection

I have the "We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor (available here )" at the top.

In Service -> Intrusion detection -> Administration,
I have IDS and IPS on (checked)
I have selected all 3 LAN interfaces (not WAN)
I have selected pattern match: Hyperscan
I have checked Enable syslog alerts with a daily rotation

In Service -> Intrusion detection -> Download,
I have selected all abuse.ch and ET open,
I have enabled it, then downloaded it

In Service -> Intrusion detection -> Rules,
I have about 107406 lines, but I can no longer access/view it, each time I click on that tab, the entire system Stales, almost freezes
Right now, I clicked on it and the computer lags a lot ! (The other computers seems to have no problem)
It takes ages to move to another tab.
I have to close the browser tab and open a new one to get out of the loop.

In Service -> Intrusion detection -> User Define,
I have a bypass rule for my work computer

In Service -> Intrusion detection -> Alerts,
I have none (IDS been running for about 15 days)

In Service -> Intrusion detection -> Schedules,
I have the standard rules update and reload,
I have a weekly trim and a monthly scrub

In Service -> Intrusion detection -> Policy,
I have 6 policies, each invoking its own set of rules

In Service -> Intrusion detection -> Log Files
I have only 1 line (since my last reset, 8 days ago) :
- [100837] <Warning> -- flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs

I don't think it's normal that I have no log whatsoever, what do you think ?
October 07, 2025, 12:30:26 AM #1
i had issue with no Alerts showing in Suricata Intrusion Detection.

I set interface WAN and what it fixed it was putting the IP address from ISP into the home network box.  I've seen others say you need to manually edit a file via shell/nano/vi but this worked for me.

Settings > Advanced Mode on >  Home networks > Enter Wan IP into box


Came over from PFSense and i'm used to the Suricata interface over there, seems like there are much more options on GUI and its nice having a auto refresh option
October 07, 2025, 06:34:34 PM #2
The flowbit alert is usually a rule wont parse- something with the way its written
I am not getting that though
What is in IDS>logging change the drop down box to informational
you should see engine start and stop,when IDS or IPS enabled and saved
rules start and stop when you clicked apply for rules after about three minutes
Is that working,
hyperscan is optional, default works
October 07, 2025, 06:35:48 PM #3
Yes put your IP or IP range in the home networks box, clear the others
Print
Go Up Pages1
User actions