IDPS

[csmall]

I installed the beta tonight and everything seems to be great.

I'm a little confused by the IDPS though.

I enabled IDS and IPS, checked off some ET rule sets and clicked on enable, downloaded and updated rules, then clicked apply.

All I see in the alerts is stuff like this:

"SURICATA STREAM excessive retransmissions"
"SURICATA TLS invalid record/traffic"
"SURICATA TCPv4 invalid checksum"
"SURICATA STREAM Packet with invalid ack"
"SURICATA STREAM ESTABLISHED invalid ack"

None of these appear to be related to the rule sets I enabled.

I then switched all of the rulesets on the main IDS page to input filter drop, clicked on download and update rules and apply again. I still see nothing but hundreds of the above alerts and none from the ET rulesets.

Am I doing something wrong or is this broken?

Thank you.

[csmall]

So I cleared the logs and tried to turn IDS/IPS off and then back on again.

Now I get no alerts. I tried turning just IPS off too and no luck. I get no alerts now.

[csmall]

I am seeing alerts again... however they are back to the same alerts I mentioned in the original post and nothing from the ET rules I enabled.

I don't get it.

I recently switched to OPNSense from another firewall that was using ET rules and I would see alerts like every 5 to 10 minutes for the same rules.

[csmall]

I got rid of 17.1 beta and installed 16.7 production.

Same results. Fresh install and very basic configuration.

I enabled IDS (not IPS yet), applied, enabled some ET rules, downloaded and updated rulesets...

Again, I get alerts like this:

"SURICATA STREAM excessive retransmissions"

But none from the downloaded ET rules. I don't understand why it isn't working.

Any help would be appreciated.