Suricata doesn't filter anything with telemetry pro

[jean.paradis]

Intrusion detection does not appear to be working.
I followed all the step by step on the wiki and even more check on other forums.
I also use Sensei.
I have no alert in suricata. all its list activate even AND Telemetry Pro.
I did a nmap test on the router and no alert.
I create a user rule with the facebook print and no alert.


I set up suricata on the WAN interface.
I set up Sensei on the LAN interface.
I did disable hardware acceleration on everything.


Picture IDS:
https://ibb.co/n1QSBys
https://ibb.co/tpbS6fW

Sensei:
https://ibb.co/qLGqrd7

Opensense Firmware:
https://ibb.co/YTrQdWY

Thank you for your help, if you need information. or if there is a way I send my config its will please me.

[jean.paradis]

Hello, after further verification. I found that must add the ip of the wan when you activate this on the Wan. must now I find a solution given my ip is dynamic and it does not take domain name.


help find out on:
https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

[ascii]

i have the same problem.
i have an internet connection via cable from a ISP in Germany.

not the best solution but i ended up looking up the ip ranges of the ISP which they are handing out to customers.
i just added the subnets as local. Not nice but that way it is working for me.

[marshalleq]

Yeah, I think this is happening to most people and they just don't realise.  My posts about it have been met with no replies and I suspect unfortunately the experience (or the will) does not exist in these forums.  Good on you for going out of here, I shall join you to see if I can solve it for me too.

[marshalleq]

Sadly, while there was one step missing, it still doesn't work.

[jean.paradis]

 show me screenshots of your configuration   marshalleq

[dia4]

Hello, after further verification. I found that must add the ip of the wan when you activate this on the Wan. must now I find a solution given my ip is dynamic and it does not take domain name.


Hallo jean.paradis, you not need to add WAN's ip in IDS (Suricata) administrator section, the IDS Interfaces menu is automatic populated. You have to choose only which interfaces to use.

Take a look on my setup.



Maybe you have to wait some time before somethings happen and is reported on Suricata Alerts. Or you can test your IDS following the infos on this post:
https://forum.opnsense.org/index.php?topic=6514.msg27965#msg27965

My IDS Alert shows me this:


Ciao

[jean.paradis]

dia4


For you its works because it's setting up on the lan and private address its setting up default in advanced options. but I use sensei so I can only use on the wan. if you activate only on the wan it is mandatory to put the IP manually otherwise there is going to be no detection.


see the capture, the ip's the default

[dia4]

I can confirm you that Suricata works and detects alerts when listening only on WAN interface too.
I have made a test for you, changing Suricata interface only on WAN and setting up Sensei to listen on the LAN side.
Then i have checked with the isd test i told you and how you can see Alerts are listed on Suricata.

(From the manual i see that you need Advanced mode/Home network setup only if your lan ip address are different from an RFC1918 network.)

Ciao

[burntoc]

I can confirm you that Suricata works and detects alerts when listening only on WAN interface too.
I have made a test for you, changing Suricata interface only on WAN and setting up Sensei to listen on the LAN side.
Then i have checked with the isd test i told you and how you can see Alerts are listed on Suricata.

I know this is a bit of an older thread, but I have been dealing with this over the last few days and I can confirm that while my other interfaces showed traffic without my ISP-assigned address, the WAN interface would not.  When I add that to local addresses it does show alerts, primarily STUN/NAT activity.