Not getting IDS alerts on opt1 interface of OPNsense

I have an OPNsense firewall setup with 3 interfaces, WAN, LAN, and OPT1. I’ve installed and enabled Suricata, and downloaded all ET rules. I have a domain controller sitting in OPT1 and a kali machine in LAN. When i attempt to attack the domain controller (using auxiliary/scanner/smb/smb_ms17_010 from msfconsole) I get no alerts.

I have run a curl on:

  • the firewall host itself, and i do indeed get an alert
  • the kali machine, and i do indeed get an alert
  • on the domain controller (in OPT1 intf), and do also indeed get an alert

Please help. Thanks

  • Suricata version - 7.0.4
  • Operating system and/or Linux distribution - it’s on OPNsense firewall (FreeBSD)
  • How you installed Suricata (from source, packages, something else) - it’s on OPNsense firewall - so from packages via OPNsense GUI

The Suricata config on the OPNsense is managed by the OPNSense appliance, so could be something specific to that. I would ask at the OPNSense forum for help first.