Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
17.1.2 - Still have IDPS issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: 17.1.2 - Still have IDPS issues (Read 13794 times)
csmall
Full Member
Posts: 121
Karma: 5
17.1.2 - Still have IDPS issues
«
on:
February 23, 2017, 12:05:26 am »
I did a fresh install of OPNSense 17.1 last night and then upgraded to 17.1.2 this morning.
It was pretty much default install.
Just now I enabled IDS and IPS, checked off some ET rules that I know were frequently triggered when I was running IPFire with Snort, hit download and install rules, changed them each to drop action and hit download and apply rules again.
Under alerts, all i see is weird suricata alerts with allowed action.
SURICATA STREAM excessive retransmissions
and a bunch of:
SURICATA Applayer Detect protocol only one direction
but no ET or drop alerts.
I don't understand, am i doing something wrong? I had high hopes for the new realtek drivers with suricata.
«
Last Edit: February 23, 2017, 12:19:48 am by csmall
»
Logged
csmall
Full Member
Posts: 121
Karma: 5
Re: 17.1.2 - Still have IDPS issues
«
Reply #1 on:
February 27, 2017, 07:17:01 pm »
Bump
Logged
Nnyan
Jr. Member
Posts: 91
Karma: 8
Re: 17.1.2 - Still have IDPS issues
«
Reply #2 on:
April 05, 2017, 03:00:44 am »
I just turned this one recently and the majority of the items in the IDS alerts tab are these SURICATA STREAM excessive retransmissions messages. I get the occasional SURICATA Applayer Detect protocol only one direction
and even some SURICATA TCPv4 invalid checksum
The invalid checksum seems to be related to the NIC so since I'm running OPNsense in an ESXi VM I changed the host's Net.UseHwTSO setting to "0" to disable this. I'll see if that error goes away over the next day or two.
the Applayer Detect one seems more esoteric since I only found a few links to others having this issue and nothing definitive. Ditto with the Stream Excessive.
Funny I just noticed that under ID >> RULES it just says "loading".
«
Last Edit: April 05, 2017, 07:14:47 am by Nnyan
»
Logged
csmall
Full Member
Posts: 121
Karma: 5
Re: 17.1.2 - Still have IDPS issues
«
Reply #3 on:
April 05, 2017, 03:38:51 am »
Yeah I get a bunch of the suricata alerts but no ET alerts.
Logged
spidysense
Newbie
Posts: 22
Karma: 1
Re: 17.1.2 - Still have IDPS issues
«
Reply #4 on:
December 09, 2017, 07:49:34 pm »
I get a lot of these alerts:
SURICATA Applayer Detect protocol only one direction
Looking
HERE
it explains this:
Protocol detection only succeeded in one direction. For FTP and SMTP this is expected
.
So if you have been using these protocols from your network then you will see these alerts.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
17.1.2 - Still have IDPS issues