IPS/Suricata does not show alerts in 19.1

soleilblanc · February 20, 2019, 01:36:10 PM

Hello All,

Under IDS/Administration/Alerts, the logs are rotating but show empty since the upgrade to 19.1 (system was rock solid before the upgrade).
The /var/log/suricata/eve.json are empty, the stats.log accumulate the starts as normal.

So far, i've restarted the service, deactivated syslog and re-activated it.

under the IDS/Log file i see those errors
ERRCODE: SC_WARN_FLOWBIT(306)

Any help is appreciated

Jon

bmail · February 20, 2019, 02:02:03 PM

Hello,

Try to deactivate Snort VRT rules.
I was using the 29120 version, and it seems suricata does not love it.
Since giving up snort rules, no more ERRCODE: SC_WARN_FLOWBIT(306) and suricata just works well.

Bertrand

donatom3 · February 20, 2019, 11:08:54 PM

I have the same issue and I don't have the snort rules even installed. I'm using the ET Telemetry edition with a couple of the opnsense rules.

No error in the log for suricata either that I could see. I even tried causing some alerts by using the opnsense social media ruleset and it won't pickup anything in the log either.

soleilblanc · February 21, 2019, 03:34:06 AM

Only using some abuse and some ET for rulesets. So no snort here either.

crt333 · March 05, 2019, 12:30:45 AM

I'm surprised this thread went quiet because I'm still not seeing alerts on 19.1.2, except for "ET INFO Session Traversal Utilities for NAT (STUN Binding Request)". That's the only thing I saw all of Feb, while usually I see a lot of activity in the alerts list.

Using ET Telemetry and abuse.ch rules, tried both Aho-Corasick and Hyperscan, no difference.

Did it start working for the other people that posted here?

soleilblanc · March 05, 2019, 02:28:38 AM

Still broken here. Since there's so few answers, i'll probably do a fresh install over a weekend and restore my backup. I suspect it may not impact everyone so likely something got weird in the upgrade process to 19.

I'll follow up my post when/if i have resolve.

Sol

newsense · March 05, 2019, 04:52:11 AM

I just noticed the same behavior, tried reinstalling but nothing changed

Mks · March 05, 2019, 06:09:08 AM

Same issue here, started also a thread https://forum.opnsense.org/index.php?topic=11901.0

br

soleilblanc · May 30, 2019, 09:05:34 PM

Still didnt have time to get around doing an upgrade.

My setup does not use pppoe, it's plain ethernet from the modem so IPS should be working.

Sol

IPS/Suricata does not show alerts in 19.1

soleilblanc

February 20, 2019, 01:36:10 PM

bmail

February 20, 2019, 02:02:03 PM #1

donatom3

February 20, 2019, 11:08:54 PM #2

soleilblanc

February 21, 2019, 03:34:06 AM #3

crt333

March 05, 2019, 12:30:45 AM #4

soleilblanc

March 05, 2019, 02:28:38 AM #5

newsense

March 05, 2019, 04:52:11 AM #6

Mks

March 05, 2019, 06:09:08 AM #7

soleilblanc

May 30, 2019, 09:05:34 PM #8