IPS not alerting

[michmoor]

Coming from an pfSense box running Suricata i know which rules would generate alerts on my network and which wont. Very consistent behavior.

Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.

Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.

[michmoor]

I see some past forum post where people changed from HyperScan to something else. Will change and update the forum with the results

[michmoor]

Changing the pattern matcher doesnt work.
Ive used so far
Aho-Corasick
Aho-Corasick, "Ken Steele"
HyperScan

There is absolutely no way the ET SCAN rule is not triggering on the WAN. Impossible.
I am even triggering LAN side alerts using the following from bash  'curl -A "BlackSun" www.google.com'
This always triggers on pfSense or when I span a port to my security onion instance.

As been mentioned in past post, there is something wrong with the Suricata package here. The fact its not picking up on any flow on known rules that trigger alerts indicates an issue with the implementation.

[wirefall]

This is interesting, same here, no alerts. Any new findings?

EDIT: Works with eicar, just tested.

[Monju0525]

Not to hijack, I am on a wireguard_interface and not wan. Eicar does not drop or send alerts. There is something wrong with Suricata. Just wan and no wireguard vpn connection, eicar works fine.