Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
IPS/Suricata does not show alerts in 19.1
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS/Suricata does not show alerts in 19.1 (Read 6358 times)
soleilblanc
Newbie
Posts: 6
Karma: 1
IPS/Suricata does not show alerts in 19.1
«
on:
February 20, 2019, 01:36:10 pm »
Hello All,
Under IDS/Administration/Alerts, the logs are rotating but show empty since the upgrade to 19.1 (system was rock solid before the upgrade).
The /var/log/suricata/eve.json are empty, the stats.log accumulate the starts as normal.
So far, i've restarted the service, deactivated syslog and re-activated it.
under the IDS/Log file i see those errors
ERRCODE: SC_WARN_FLOWBIT(306)
Any help is appreciated
Jon
Logged
Shuttle DH-110 G4560 | 8G
bmail
Newbie
Posts: 37
Karma: 1
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #1 on:
February 20, 2019, 02:02:03 pm »
Hello,
Try to deactivate Snort VRT rules.
I was using the 29120 version, and it seems suricata does not love it.
Since giving up snort rules, no more ERRCODE: SC_WARN_FLOWBIT(306) and suricata just works well.
Bertrand
Logged
donatom3
Jr. Member
Posts: 69
Karma: 11
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #2 on:
February 20, 2019, 11:08:54 pm »
I have the same issue and I don't have the snort rules even installed. I'm using the ET Telemetry edition with a couple of the opnsense rules.
No error in the log for suricata either that I could see. I even tried causing some alerts by using the opnsense social media ruleset and it won't pickup anything in the log either.
Logged
soleilblanc
Newbie
Posts: 6
Karma: 1
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #3 on:
February 21, 2019, 03:34:06 am »
Only using some abuse and some ET for rulesets. So no snort here either.
Logged
Shuttle DH-110 G4560 | 8G
crt333
Jr. Member
Posts: 56
Karma: 0
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #4 on:
March 05, 2019, 12:30:45 am »
I'm surprised this thread went quiet because I'm still not seeing alerts on 19.1.2, except for "ET INFO Session Traversal Utilities for NAT (STUN Binding Request)". That's the only thing I saw all of Feb, while usually I see a lot of activity in the alerts list.
Using ET Telemetry and abuse.ch rules, tried both Aho-Corasick and Hyperscan, no difference.
Did it start working for the other people that posted here?
Logged
soleilblanc
Newbie
Posts: 6
Karma: 1
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #5 on:
March 05, 2019, 02:28:38 am »
Still broken here. Since there's so few answers, i'll probably do a fresh install over a weekend and restore my backup. I suspect it may not impact everyone so likely something got weird in the upgrade process to 19.
I'll follow up my post when/if i have resolve.
Sol
Logged
Shuttle DH-110 G4560 | 8G
newsense
Hero Member
Posts: 1038
Karma: 77
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #6 on:
March 05, 2019, 04:52:11 am »
I just noticed the same behavior, tried reinstalling but nothing changed
Logged
Mks
Sr. Member
Posts: 272
Karma: 19
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #7 on:
March 05, 2019, 06:09:08 am »
Same issue here, started also a thread
https://forum.opnsense.org/index.php?topic=11901.0
br
Logged
soleilblanc
Newbie
Posts: 6
Karma: 1
Re: IPS/Suricata does not show alerts in 19.1
«
Reply #8 on:
May 30, 2019, 09:05:34 pm »
Still didnt have time to get around doing an upgrade.
My setup does not use pppoe, it's plain ethernet from the modem so IPS should be working.
Sol
Logged
Shuttle DH-110 G4560 | 8G
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
IPS/Suricata does not show alerts in 19.1
