I have enabled IDS/IPS (Suricata, IDS only until I known what I am doing) on OPNsense 22.10. I’m new to both (though less new to OPNsense than to Suricata). Suricata is running and I see stuff in eve.json, like
{"timestamp":"2022-12-15T00:16:55.731045+0100","flow_id":412949720501149,"in_iface":"igb1","event_type":"anomaly","src_ip":"213.125.118.53","src_port":25,"dest_ip":"157.52.230.148","dest_port":53454,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2022-12-15T00:18:33.771188+0100","flow_id":1485263473900741,"in_iface":"igb1","event_type":"anomaly","src_ip":"213.125.118.53","src_port":25,"dest_ip":"64.62.250.105","dest_port":57815,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
That seems to suggest Suricata is running and it detects SMTP traffic (which is correct), but those are as I gather uninteresting messages (all SMTP will trigger that). I am using ET Telemetry Pro with a couple of rulests (dhsield, emerging-current-events, emerging-imap, emerging-malware, emerging-phishing, emerging-web-client, emerging-web-server — I just checked a few after after reading their description somewhere).
What I am trying to find out (and failing at) is how to test that Suricata is catching stuff (e.g. phishing mail is delivered to my mail server, but Suricata doesn’t show anything in the log yet), e.g. I’m looking for a way to get a real alert so I can test it works.
OPNsense also comes with Monit. I tried to create an alert for content = "blocked" hoping that I would see something.
Basically, I am a bit overwhelmed and I am looking for some sort of basic situation where I can get Suricata & Monit on OPNsense to send me an alert if something is detected (and trigger that so I know it works) and a way to see the logging on OPNsense. I would be able to build from there.
Thanks in advance to any kindly soul who helps me get started.