Suricata Not Finding Anything

[spetrillo]

Hello all,

I have enabled Suricata on my WAN interface only. I am running in IDS/IPS mode. I am running 23.1.8. I have not had an alert hit Suricata since 5/4. While I would like to think no one malicious knows about my public IP I find it hard to believe. Has anyone been seeing the same thing I am seeing?

Thanks,
Steve

[DenverTech]

Seeing the same thing. Completely blank logs (even if I turn them up from Default). Watching traffic, I'm getting the usual 1000s of bots trying to look for vulnerabilities on my WAN side, but Suricata isn't stopping anything at all. Saw this once a while back (v19 maybe?) and it got fixed with an update, but this time around it seems to have not blocked anything in weeks...ie, at least 2 versions.

[spetrillo]

Do you have GeoIP enabled with Maxmind?

[michmoor]

Ive seen in past forum posts that people have had sucess changing the pattern matcher.
Right now changing pattern matching still doesnt produce alerts.
There is something not right with the Suricata package. ET SCAN rules always generate an alert on the WAN side. Yet...blank logs?

[cookiemonster]

I won't pretend to know why but I have alerts. The latest one today. In fairness they are very few. Always triggering the same rule (scanning port 445).
In my case the latest alert:

Code Select Expand

2023-06-23T06:03:44.335253+0100 2001569 blocked wan 10.82.250.89 62531 92.MY.PUBLICIP.92 445 ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
My settings are:
- rulesets downloaded and enabled in the Admin > Download tab.
- rulesets in a policy that is "enabled", action: alert, drop. New action is "drop". This in Policy > Policies tab.
Pattern is Hyperscan, Interface WAN, IPS mode enabled. Not promiscuous mode.

[michmoor]

Because its so infrequent and unreliable there is no way to tell if Suricata is really working or not.
Are there other things its missing and refusing to alert on?
In my case, alerts arent being generated when i create traffic that should trigger especially when it triggers on other firewalls running Suricata.

[Layla]

same issue:
https://forum.opnsense.org/index.php?topic=34756.0

briefly fixed it by reinstalling the package, but reverted to previous behavior.

been testing it by throwing known bad ips at it.

[osmom]

Same as Mee on Version 23.1.7_3

[allan]

One way to check is with the EICAR test file drop rule.

• Under the Download tab, enable "OPNsense-App-detect/test"
• Download and update rules
• Confirm that "engine started" is listed in the logs. You must be on Notice, Informational or Debug log level to see this message.
• Under the Rules tab, search for "eicar"
• Verify that "OPNsense test eicar virus" has a "drop" action and "Enabled" is checked
• Browse to http://www.eicar.eu
• Click on either the "eicar.com" or "eicar.com.txt" files - but only the ones listed under HTTP. Encrypted/HTTPS links are not blocked.
• The browser should fail to download and several "blocked" messages are logged under the Alert tab.

I just performed a test download before posting and it successfully blocked both files. I am running version 23.7.1_3.

[abulafia]

I have enabled "OPNsense-App-detect/test" with suricata in IDS Mode. Opnsense 23.7.1_3. Suricata listening on LAN and VLAN interfaces (not WAN).

Testing eicar download via HTTP wget/curl triggers the alert. Using a browser doesn't because the browser/website switches to HTTPS automatically.

[Monju0525]

I am also getting nothing with Surricata  on opnsense 23.7.3  I am using wireguard. Should Surricata be on wan or wireguard_interface? I have zenamor on the lan.  Ran www.eicar.eu and  the payload gets downloaded with no intrusion setection alerts.

Without zenarmor, I had Surricata on the lan and it was working perfectly and blocking www.eicar.eu

The Suuricata log
[100247] <Warning> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'wg1': Device not configured (6)


Need help on this one.