Suricata pppoe connection, no longer alerts?

[RamSense]

I have just switched ISP to a pppoe fiber connection.
I noticed that it looks like suricata is no longer working / getting alerts in the log. I have suricata on WAN and zenarmor on LAN

I have tried Promiscuous mode enabled and disabled, but no difference.

Does somebody knows how to make suricata to work again? What settings do I have to change? Or is suricata still not available on pppoe ?

[annoniempjuh]

IPS doesn't work with PPPoE, Only IDS works.

[RamSense]

Thanks for your reply. That's a big bummer. Hopefully it will be added, first posts about this was years ago, so i was hoping that it was resolved.

For de IDS to work with pppoe, must I have Promiscuous mode enabled?

[annoniempjuh]

i don't know if you need to enabled it, but on my system its enabled and Suricata works fine on a PPPoE connection

[RamSense]

thnx, I have Promiscuous enabled and have IDS working.

now hoping that IPS is coming to suricata / opnsense someday soon for PPPOE :-0

[RamSense]

@annoniempjuh I just noticed something strange, and I am wondering if you are seeing the same.
In the suricata Alerts log, i see the triggered events, but in stead of them being blocked it says "allowed" ???
When i click on info it says: Configured action "enabled" and Drop.

So how to check if it is a alert log error on pppoe or that the events actually not being dropped but allowed?

Are you seeing the same?

[annoniempjuh]

IDS means, its only detecting it, not blocking.
Blocking only happens with IPS..

IPS: intrusion prevention system
IDS: intrusion detection system

[RamSense]

Ah, of course it is.... thnx.
Well than the only part left is waiting for Suricata to support pppoe

[annoniempjuh]

it's in netmap, not suricata.
Suricata and Zenarmor use netmap

[RamSense]

yeah its netmap or Suricata and Zenarmor being able to run both/together on the LAN