Intrusion detection no showing alerts

Started by cancino, May 07, 2019, 06:19:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 07, 2019, 06:19:31 PM Last Edit: May 07, 2019, 06:28:59 PM by cancino
Hi all
I activate Intrusion Detection, but I do not see alerts.

OPNsense 19.1.7-amd64
suricata 4.1.4

my config:
Enabled [X]
IPS mode  [ ]
Promiscuous mode [X]

Pattern matcher  Hyperscan

Interfaces  [WAN]


the only thing I see in the log is this warning:

OPNsense meerkat: [101053] <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE (317)] - in 5.0 the default for decoder event stats will go from 'decoder. <Proto>. <Event>' to 'decoder.event. <Proto >. <event> '. See ticket # 2225. To suppress this message, set stats.decoder-events-prefix in the yaml.

Can you help me please?
May 07, 2019, 06:35:49 PM #1
Do you have any rulesets enabled and downloaded? Did you trigger something that should generate an alert?
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 07, 2019, 06:43:37 PM #2
Yes, I downloaded all the rules and enabled them
May 07, 2019, 06:45:37 PM #3
And did you generate traffic that should match rules and create alerts?
No alerts can just mean that no suspicious traffic is present, what would be great.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 07, 2019, 07:00:52 PM #4
I will put it in a test network to validate the installation.
Thank you very much for the help
August 05, 2019, 12:54:53 PM #5
Hi.
I have the same issue with OPNSense 19.7.1-amd64 FreeBSD 11.2-release-p11-HBSD.
I try to use Suricata (4.1.4_3) on VMWare virtual machine (ESXi 6.5). Network card that I use is VMXNET3 with inheritance in Promiscuous mode inherited from Virtual switch. (-WAN interface)
My Config  :  Enabled

  •                    IPS mode []
                       Promiscuous mode

  •                    Pattern matcher [Aho-Corasick]
                       Interface [WAN]
    Some Rulesets were installed and rules enabled (ET open/emerging-icmp,icmp_info,scan,sql,misc).
    I tried to test system by ping request and by port 1433 scanning and did not received in this configuration any Alerts.
    Rules for check - "ET SCAN Suspicious inbound to MSSQL port 1433"
    and      "Protocol-ICMP Ping"

    Any hints, ideas? What's wrong?
    thanks






August 05, 2019, 11:07:55 PM #6
Does it alert on the LAN interface?

I cannot use WAN as I use PPPoE, which unfortunately does not work with IPS on FreeBSD.
There was some effort in resolving this in the past, but it seems to have dropped down the priority list.

LAN when using IPS works fine in my situation however. WAN would just be 'nice to have'
August 06, 2019, 03:07:53 PM #7
It's WAN interface.(Virtual netcard).
I installed PFSense in the same VM configuration and Suricata works fine.
Also, if instead of Virtual network card I use physical network card, like WAN interface, OPNsense Suricata works perfectly.
I will be appreciate for any ideas.

Print
Go Up Pages1
User actions