Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not alerting
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS not alerting (Read 2548 times)
michmoor
Newbie
Posts: 28
Karma: 4
IPS not alerting
«
on:
June 23, 2023, 03:53:29 am »
Coming from an pfSense box running Suricata i know which rules would generate alerts on my network and which wont. Very consistent behavior.
Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.
Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.
Logged
michmoor
Newbie
Posts: 28
Karma: 4
Re: IPS not alerting
«
Reply #1 on:
June 23, 2023, 06:38:22 am »
I see some past forum post where people changed from HyperScan to something else. Will change and update the forum with the results
Logged
michmoor
Newbie
Posts: 28
Karma: 4
Re: IPS not alerting
«
Reply #2 on:
June 23, 2023, 05:20:01 pm »
Changing the pattern matcher doesnt work.
Ive used so far
Aho-Corasick
Aho-Corasick, "Ken Steele"
HyperScan
There is absolutely no way the ET SCAN rule is not triggering on the WAN. Impossible.
I am even triggering LAN side alerts using the following from bash 'curl -A "BlackSun"
www.google.com
'
This always triggers on pfSense or when I span a port to my security onion instance.
As been mentioned in past post, there is something wrong with the Suricata package here. The fact its not picking up on any flow on known rules that trigger alerts indicates an issue with the implementation.
Logged
wirefall
Newbie
Posts: 31
Karma: 0
Re: IPS not alerting
«
Reply #3 on:
September 23, 2023, 02:03:15 pm »
This is interesting, same here, no alerts. Any new findings?
EDIT: Works with eicar, just tested.
«
Last Edit: September 23, 2023, 02:08:43 pm by wirefall
»
Logged
Monju0525
Jr. Member
Posts: 53
Karma: 6
Re: IPS not alerting
«
Reply #4 on:
September 23, 2023, 09:48:24 pm »
Not to hijack, I am on a wireguard_interface and not wan. Eicar does not drop or send alerts. There is something wrong with Suricata. Just wan and no wireguard vpn connection, eicar works fine.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not alerting