IPS/Suricata does not drop anything via policy (opnsense.test.rules)

[MojoMC]

Hello everyone,

I am currently using OPNsense to separate a test network from our intranet.
At the moment, I am struggling with the successful configuration of IDS/IPS/Suricata. Specifically, it fails the test with Eicar in the unencrypted version, i.e., HTTP.

My configuration for IDS/IPS/Suricata is as follows:

•     Enabled √
•     IPS mode √
•     active on both Interfaces, LAN & WAN
•     WAN and LAN are included in "home networks"

In Intrusion Detection/Administration/Downloads the rule "OPNsense-App-detect/test" is enabled and downloaded. No other rules are enabled or even downloaded.
In Intrusion Detection/Administration/Rules, opnsense.test.rules is also enabled with the default action "Alert".
A policy for this rule valid for the actions/conditions "Alert" & 'Drop' resulting in the new action "Drop" has been created and applied.

If I run "curl http://pkg.opnsense.org/test/eicar.com.txt" from the test network, it goes through without any problems and I see it under the alerts, unfortunately with "Action: Allowed" – despite the active policy that should turn 'Alert' into "Drop."

If I manually change the test rule to "Drop," it is immediately dropped. I can't figure out why the policy isn't working.

Have I taken a wrong turn somewhere, am I overlooking something?

Thank you very much for any food for thought.