Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Suricata pppoe connection, no longer alerts?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata pppoe connection, no longer alerts? (Read 2341 times)
RamSense
Hero Member
Posts: 595
Karma: 10
Suricata pppoe connection, no longer alerts?
«
on:
December 24, 2022, 12:53:32 pm »
I have just switched ISP to a pppoe fiber connection.
I noticed that it looks like suricata is no longer working / getting alerts in the log. I have suricata on WAN and zenarmor on LAN
I have tried Promiscuous mode enabled and disabled, but no difference.
Does somebody knows how to make suricata to work again? What settings do I have to change? Or is suricata still not available on pppoe ?
«
Last Edit: December 24, 2022, 01:29:05 pm by RamSense
»
Logged
annoniempjuh
Jr. Member
Posts: 56
Karma: 1
Re: Suricata pppoe connection, no longer alerts?
«
Reply #1 on:
December 25, 2022, 03:56:29 pm »
IPS doesn't work with PPPoE, Only IDS works.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Suricata pppoe connection, no longer alerts?
«
Reply #2 on:
December 25, 2022, 07:38:13 pm »
Thanks for your reply. That's a big bummer. Hopefully it will be added, first posts about this was years ago, so i was hoping that it was resolved.
For de IDS to work with pppoe, must I have Promiscuous mode enabled?
Logged
annoniempjuh
Jr. Member
Posts: 56
Karma: 1
Re: Suricata pppoe connection, no longer alerts?
«
Reply #3 on:
December 26, 2022, 11:30:03 am »
i don't know if you need to enabled it, but on my system its enabled and Suricata works fine on a PPPoE connection
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Suricata pppoe connection, no longer alerts?
«
Reply #4 on:
December 26, 2022, 11:59:45 am »
thnx, I have Promiscuous enabled and have IDS working.
now hoping that IPS is coming to suricata / opnsense someday soon for PPPOE :-0
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Suricata pppoe connection, no longer alerts?
«
Reply #5 on:
December 27, 2022, 07:27:28 am »
@annoniempjuh I just noticed something strange, and I am wondering if you are seeing the same.
In the suricata Alerts log, i see the triggered events, but in stead of them being blocked it says "allowed"
When i click on info it says: Configured action "enabled" and Drop.
So how to check if it is a alert log error on pppoe or that the events actually not being dropped but allowed?
Are you seeing the same?
Logged
annoniempjuh
Jr. Member
Posts: 56
Karma: 1
Re: Suricata pppoe connection, no longer alerts?
«
Reply #6 on:
January 11, 2023, 01:20:43 am »
IDS means, its only detecting it, not blocking.
Blocking only happens with IPS..
IPS: intrusion prevention system
IDS: intrusion detection system
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Suricata pppoe connection, no longer alerts?
«
Reply #7 on:
January 11, 2023, 07:30:07 am »
Ah, of course it is.... thnx.
Well than the only part left is waiting for Suricata to support pppoe
Logged
annoniempjuh
Jr. Member
Posts: 56
Karma: 1
Re: Suricata pppoe connection, no longer alerts?
«
Reply #8 on:
January 11, 2023, 05:41:01 pm »
it's in netmap, not suricata.
Suricata and Zenarmor use netmap
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Suricata pppoe connection, no longer alerts?
«
Reply #9 on:
January 11, 2023, 07:04:35 pm »
yeah its netmap or Suricata and Zenarmor being able to run both/together on the LAN
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Suricata pppoe connection, no longer alerts?