Getting started with Suricata on OPNsense — overwhelmed

I have enabled IDS/IPS (Suricata, IDS only until I known what I am doing) on OPNsense 22.10. I’m new to both (though less new to OPNsense than to Suricata). Suricata is running and I see stuff in eve.json, like

{"timestamp":"2022-12-15T00:16:55.731045+0100","flow_id":412949720501149,"in_iface":"igb1","event_type":"anomaly","src_ip":"213.125.118.53","src_port":25,"dest_ip":"157.52.230.148","dest_port":53454,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2022-12-15T00:18:33.771188+0100","flow_id":1485263473900741,"in_iface":"igb1","event_type":"anomaly","src_ip":"213.125.118.53","src_port":25,"dest_ip":"64.62.250.105","dest_port":57815,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}

That seems to suggest Suricata is running and it detects SMTP traffic (which is correct), but those are as I gather uninteresting messages (all SMTP will trigger that). I am using ET Telemetry Pro with a couple of rulests (dhsield, emerging-current-events, emerging-imap, emerging-malware, emerging-phishing, emerging-web-client, emerging-web-server — I just checked a few after after reading their description somewhere).

What I am trying to find out (and failing at) is how to test that Suricata is catching stuff (e.g. phishing mail is delivered to my mail server, but Suricata doesn’t show anything in the log yet), e.g. I’m looking for a way to get a real alert so I can test it works.

OPNsense also comes with Monit. I tried to create an alert for content = "blocked" hoping that I would see something.

Basically, I am a bit overwhelmed and I am looking for some sort of basic situation where I can get Suricata & Monit on OPNsense to send me an alert if something is detected (and trigger that so I know it works) and a way to see the logging on OPNsense. I would be able to build from there.

Thanks in advance to any kindly soul who helps me get started.

This seems to be very OPNSense specific, have you tried https://forum.opnsense.org/ the forum?

Retuning to this subject.

I have Suricata workig, it creates an alert on the eicar.com download, but I do have some questions, still.

I can download the contents of eicar when using https. That seems logical, Suricata cannot look inside https, but if that is so and given that 99.9999% of web traffic is https, what use is Suricata? I must be missig something.

That argument can be used against other solutions as well (eg: NGFW), but they still exist…
Suricata can offer many things even if the flow is encrypted:

  • alerting on Malicious domains/IPs (even with https).
  • recording network transactions, that you can use behavioral analysis on, to detect malicious activity (eg: beaconing), or for network forensics.
  • detecting malware that uses non-standard protocols (eg: special tcp protocol)
  • other threats.