Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Intrusion detection no showing alerts
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intrusion detection no showing alerts (Read 6034 times)
cancino
Newbie
Posts: 5
Karma: 0
Intrusion detection no showing alerts
«
on:
May 07, 2019, 06:19:31 pm »
Hi all
I activate Intrusion Detection, but I do not see alerts.
OPNsense 19.1.7-amd64
suricata 4.1.4
my config:
Enabled [X]
IPS mode [ ]
Promiscuous mode [X]
Pattern matcher Hyperscan
Interfaces [WAN]
the only thing I see in the log is this warning:
OPNsense meerkat: [101053] <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE (317)] - in 5.0 the default for decoder event stats will go from 'decoder. <Proto>. <Event>' to 'decoder.event. <Proto >. <event> '. See ticket # 2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Can you help me please?
«
Last Edit: May 07, 2019, 06:28:59 pm by cancino
»
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Intrusion detection no showing alerts
«
Reply #1 on:
May 07, 2019, 06:35:49 pm »
Do you have any rulesets enabled and downloaded? Did you trigger something that should generate an alert?
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
cancino
Newbie
Posts: 5
Karma: 0
Re: Intrusion detection no showing alerts
«
Reply #2 on:
May 07, 2019, 06:43:37 pm »
Yes, I downloaded all the rules and enabled them
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Intrusion detection no showing alerts
«
Reply #3 on:
May 07, 2019, 06:45:37 pm »
And did you generate traffic that should match rules and create alerts?
No alerts can just mean that no suspicious traffic is present, what would be great.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
cancino
Newbie
Posts: 5
Karma: 0
Re: Intrusion detection no showing alerts
«
Reply #4 on:
May 07, 2019, 07:00:52 pm »
I will put it in a test network to validate the installation.
Thank you very much for the help
Logged
alexey
Newbie
Posts: 2
Karma: 0
Re: Intrusion detection no showing alerts
«
Reply #5 on:
August 05, 2019, 12:54:53 pm »
Hi.
I have the same issue with OPNSense 19.7.1-amd64 FreeBSD 11.2-release-p11-HBSD.
I try to use Suricata (4.1.4_3) on VMWare virtual machine (ESXi 6.5). Network card that I use is VMXNET3 with inheritance in Promiscuous mode inherited from Virtual switch. (-WAN interface)
My Config : Enabled
IPS mode []
Promiscuous mode
Pattern matcher [Aho-Corasick]
Interface [WAN]
Some Rulesets were installed and rules enabled (ET open/emerging-icmp,icmp_info,scan,sql,misc).
I tried to test system by ping request and by port 1433 scanning and did not received in this configuration any Alerts.
Rules for check - "ET SCAN Suspicious inbound to MSSQL port 1433"
and "Protocol-ICMP Ping"
Any hints, ideas? What's wrong?
thanks
Logged
bunchofreeds
Full Member
Posts: 203
Karma: 11
Re: Intrusion detection no showing alerts
«
Reply #6 on:
August 05, 2019, 11:07:55 pm »
Does it alert on the LAN interface?
I cannot use WAN as I use PPPoE, which unfortunately does not work with IPS on FreeBSD.
There was some effort in resolving this in the past, but it seems to have dropped down the priority list.
LAN when using IPS works fine in my situation however. WAN would just be 'nice to have'
Logged
alexey
Newbie
Posts: 2
Karma: 0
Re: Intrusion detection no showing alerts
«
Reply #7 on:
August 06, 2019, 03:07:53 pm »
It's WAN interface.(Virtual netcard).
I installed PFSense in the same VM configuration and Suricata works fine.
Also, if instead of Virtual network card I use physical network card, like WAN interface, OPNsense Suricata works perfectly.
I will be appreciate for any ideas.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Intrusion detection no showing alerts