No IDS Alerts + Flowbit Warnings – How to Properly Test If Suricata is Working?

Started by MrHappyHippo, June 08, 2025, 03:06:34 PM

Previous topic - Next topic


Hey everyone,

I recently enabled Suricata IDS on my setup, and I'm running into a couple of issues that I'm not sure how to properly diagnose or fix.

First off, I'm not seeing any alerts, even though I suspect my network isn't totally clean.

I did enter the et_telemetry.token under Services > Intrusion Detection, and I can confirm Suricata is running.

However, just enabling it doesn't seem to make it actually do anything useful — or at least I'm not getting any alerts/logs that indicate it's catching threats.

Additionally, I'm seeing a bunch of flowbit-related warnings in the logs, like these:
2025-06-08T06:36:45 Notice suricata [100780] <Notice> -- Threads created -> W: 16 FM: 1 FR: 1   Engine started.
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2015657 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2025-06-08T06:30:32 Notice suricata [100780] <Notice> -- Syslog: facility local5, level Info, ident suricata
2025-06-08T06:30:31 Notice suricata [100460] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

It looks like certain rules are being loaded that rely on other rules setting flowbits that aren't active?

So I have a few questions I hope someone can help me with:

How can I confirm that Suricata is actively inspecting traffic and generating alerts correctly?
Is there a step-by-step tutorial or test method (e.g. safe malicious payload or simulated attack) I can use?

Do I need to manually enable or add the rules that set these flowbits? Or is this normal?

Is there a known-good ruleset I should be using (e.g. Emerging Threats Open vs. Pro) that avoids this issue?

Would appreciate any help or pointers — just trying to make sure this is actually working and not just burning CPU for no reason 😅

Thanks in advance!

My understanding is that flowbit warnings can be ignored. If you're not running any servers, don't have open ports, and you're only running it on LAN then I don't think you're going to see much. Another reason you won't see much is because 90% or more of your traffic is likely encrypted, which Suricata can't monitor... a key reason many people don't bother running it at all.

To test your configuration, enable rule ""OPNsense-App-detect/test". Then open powershell and copy/paste this and press enter:

$url = "pkg.opnsense.org/test/eicar.com.txt"
$dest = "C:\temp\eicar.com.txt"
Invoke-RestMethod -Uri $url -OutFile $dest

It should hang up, and an alert will be generated saying "OPNsense test eicar virus".

Thanks for the suggestion. I actually already tried that using curl, but it didn't trigger anything in OPNsense.