can't get ANY alerts under Intrusion Detection

[knight2f6]

I have reviewed all the materials that I could find and all the related how-to videos and still can't get this to work properly. I used to have this working under pfSense but once I moved to OPNsense nothing seems to be working!! This is a clean install, but an export/import.

I have enabled the IDS mode only, have over 220k rules enabled (soI know something gotta match), have set myself in Promiscuous mode, defined my home network, set my interface to LAN, have disabled all hardware offloading (which should not have an impact since I only alert and don't use the IPS mode), and yet my Alerts tab is completely empty.

I am using a Protectli 6 port firewall, if that makes a difference.

what am I missing here? thanks

[Frostbite8289]

I'm in a similar boat and I don't get it either. Suricata is running. The webui restart option doesn't appear to do a restart i.e. the PID on the firewall does not change but start and stop do work from web UI.  I'm on the latest release as of 2022-01-04 but no alerts are getting generated or logged from anything.
With similar rules under pfsense I had a lot of hits. It is acting as if the rules claiming to be enabled are not actually enabled. That currently doesn't make much sense to me.

[knight2f6]

I might have figured it out. I am running Zenarmor which binds to the same interface. I "believe" that Zenarmor is receiving the packets and does not forward it to the next module, Suricata. I suspect that if I uninstall Zenarmor then Suricata would start working. I say suspect, because I decided I rather keep Zenarmor and use that and did not want to go through uninstalling it to test the hypothesis. So, if you have other solutions that bid to your interface, try removing them and see if Suricata can work as a standalone module that has control of the interface.
good luck.

[Frostbite8289]

Not sure about Zenarmor. I've made progress to the point where I got a test "alert" to log and alert with OPNSense. This quick start URL was helpful: https://suricata.readthedocs.io/en/suricata-6.0.9/quickstart.html#alerting
Most of it doesn't apply because things are already installed but the alerting test and log checks are helpful.
In particular under 2.5 alerting I was able to get the test alert to log and alert for both LAN and WAN.
I watched the logs using the 2.6 method.

I had done the following:
1. Under Services: Intrusion Detection: Administration I clicked Download and selected and enabled the various rules I wanted. In particular for the test alert the "ET open/emerging-attack_response" rule set is needed.
2. Under Services: Intrusion Detection: Policy I created and enabled a rule which set all the downloaded rules to Alert mode initially.
3. I setup a daily "Download and update intrusion detection rules" automatic cron job using System: Settings: Cron.
4. I did a "pkg install jq" from a root shell in order to read an alert as per section 2.6 of that quick start guide.
5. Under settings I checked the following: Enabled, Promiscuous mode, Enable syslog alerts, Enable eve syslog output. I also set pattern matcher to Hyperscan and under Interfaces entered both my LAN and WAN interfaces.

Eventually I enabled IPS mode after the hardware offloading was confirmed off and switched over to Drop from Alert what I created in point 2 above.

[ruuskil]

I might have figured it out. I am running Zenarmor which binds to the same interface. I "believe" that Zenarmor is receiving the packets and does not forward it to the next module, Suricata. I suspect that if I uninstall Zenarmor then Suricata would start working. I say suspect, because I decided I rather keep Zenarmor and use that and did not want to go through uninstalling it to test the hypothesis. So, if you have other solutions that bid to your interface, try removing them and see if Suricata can work as a standalone module that has control of the interface.
good luck.

You shouldn't run Zenarmor and suricata on same interface. You need to bind suricata to WAN interface when Zenarmor is running on LAN. Then you need to configure suricata to also listen to IP adress of your WAN.

[cookiemonster]

And it wouldn't surprise me if the OP had both services enabled on the same interface, after a little time, probably in seconds, he'd find that Zenarmor is stopped.

[knight2f6]

why would anyone want to run an IDS on the WAN interface? beside for documenting who wanted to get into your network.
the reason for having a FW is to stop attacks and for IDS/IPS to tell you who made it through so you can do something about it. I have no doubt that there are 1000s of 1000s of attach on the other side of the fw. if you ran an IDS on the WAN side you would be overwhelmed by alerts.

my 2 cents.

[ruuskil]

why would anyone want to run an IDS on the WAN interface? beside for documenting who wanted to get into your network.

Because you can't run zenarmor and suricata on the same interface, that's why. Maybe in the future it's possible but not today.

the reason for having a FW is to stop attacks and for IDS/IPS to tell you who made it through so you can do something about it.

FW only checks what ports are allowed to transmit/receive traffic. IPS is there to stop the actual attack on those ports. It can do this while running on either LAN or WAN interface.

I have no doubt that there are 1000s of 1000s of attach on the other side of the fw. if you ran an IDS on the WAN side you would be overwhelmed by alerts.

my 2 cents.

I'm running suricata on WAN and Zenarmor on LAN. Without ZA I would run suricata on LAN of course. With this configuration I see maybe 5-10 IPS alerts a day. Most of the background noise is blocked by a FW before the packets are processed by suricata.