Suricata results

[dave]

I'm seeing results that make me wonder to what extent Suricata is really opperating.

I have PPPoE WAN, so I'm running Suricata on the LAN and WLAN:



First I tried adding FB's SHA1 fingerprint to a custom rule:



Then, using Edge, browsed to FB and it loaded without aleting; changing from alert to drop didn't help.
I did clear Edge's caches beforehand, just to make sure.

I then took a closer look at OPNsense-App-detect/media-streaming which, afaict, is a DNS filter.

I downloaded and enabled to block, restarted both OPNsense and Pi-Hole DNS services to clear their caches, then cleared Edge's caches, and was still able to browse to Netflix and YouTube.

I then enabled to block OPNsense-App-detect/test and tried downloading the Eicar test:



So that worked, but over port 80.

Do I really need to enable full MiTM SSL inspection?  I believed some of these rules worked fine without this as they inspected packet headers, or SSL fingerprints, or matched traffic against an IP or DNS blacklist?

Anyone able to shed some light on this, so I better understand how this product works?

Many thanks.