rules do not work

[Cruise4code]

After much testing, I have found the rules in the suricata rulesets not working Neither the blocklists, nor regular rules

Quick fast forward the solution was to change $HOME_NET in all rules to any Blocklists started working Regular rules started working In the last three versions

I first wanted to change the suricata yaml and enter my IP Not possible because on reboot reverts back $HOME_NET in suricata is either your IP or IP range $EXTERNAL_NET in my case does not need to be modified, because it is assumed to mean any unless written in as something else, ie lan IP or something protecting a network or such Both $HOME_NET and $EXTERNAL_NET are to be hard coded into the suricata yaml When we set up suricata We have no way to do that There is no where to enter your IP and have it applied to suricata

When I changed $HOME_NET in the blocklists to any They start working, thousands of hits, yes legitimate because I am also comparing them to the pcaps I am attacked every 5 seconds on average at idle, no browser or apps open All spoofed IPs, many are on the ET blocklists, which were not working Nothing is supposed to be hitting me but regular router exchange

When I change $HOME_NET to any in the regular rules, not rulesets, I get a rule hit about every 20 to 30 minutes when I changed $HOME_NET to any Nothing before the change And the blocklists I got 2000 hits in 3 hours this morning Nothing before the change

If you make a user defined rule and go to the file and look at it It says any -> any any which is depending on direction you specified $HOME_NET or $EXTERNAL_NET The user defined rule does not say $HOME_NET or $EXTERNAL_NET The user defined rule will work Thank you in advance for opnsense community edition Thank you for your work

PS Opnsense allowed me to get on the internet again One year ago I could not get on the internet for 15 seconds without Bad guys shutting down my computer and destroying hardware They destroyed my ISP router A regular router doesnt stand a chance You may have seen the news how regular home routers were used to attack cloudflare Your work is our defense Much much better and easier than hard coding 100,000 lines of iptables The bad guys run bots, the global security community knows about them They constantly attack your computer with thousands of different methods of getting into your computer, all spoofed IPs, all automated, Automatically changes IPs, just regular hacker software these days I hope I have explained enough Thanks again

[Cruise4code]

Info I use DHCP and not a static IP Static IP has a box for input but I am not sure it is applied to suricata My ISP uses DHCP

[OPNsense-bot]

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[Cruise4code]

I dont know how to put this in one of your templates

[Cruise4code]

We need access to the suricata yaml for editing Needs to be defined in yaml $HOME_NET $EXTERNAL_NET $HTTP_SERVERS $DNS_SERVERS $SMTP_SERVERS Thanks

or We have to continue to manually change $HOME_NET to any in all rulesets Which is done using sftp in command line sftp lan IP we get -R the suricata directory called rules get -R /usr/local/etc/suricata/rules /home/ chmod -R 777 rules open each ruleset use search and replace to change each $HOME_NET to any save use put -R to put the directory rules back in suricata put -R /home/rules /usr/local/etc/suricata/ let me know if more information is needed thanks

[Cruise4code]

Thought I might add an easy test Using sftp to lan IP sudo sftp lan IP get the folder 3coresec.rules which is a blocklist get-R /usr/local/etc/suricata/rules/3coresec.rules /home/ ... to home folder up one directory and open terminal sudo chmod -R 777 3coresec.rules open 3coresec file with notepad or such the very first rule add 8.8.8.8 at the beginning of the rule inside the brackets and save upload the file using sftp put -R /home/3coresec.rules /usr/local/etc/suricata/rules/ go to intrusion detection > administration > rules > click apply wait 60 seconds for rule reload to complete from terminal ping 8.8.8.8 for 5 seconds and ctrl c to stop IPS > Admin > alerts, you will see nothing go to IPS log file and change box to informational, you will see nothing This rule nor any rule works becuase it is using $HOME_NET Now with the file you have in your home directory 3coresec.rules Change the very first rule with the 8.8.8.8 Change $HOME_NET to any and save Again use put to place file in suricata rules again, it will overwrite put -R /home/3coresec.rules /usr/local/etc/suricata/rules/ IPS > admin > rules > click apply wait 60 seconds ping 8.8.8.8 for 5 seconds you will see an alert or block in IPS > alerts you will see alert or block in IPS > logging with box set to informational it works Change the rule back to normal I change in all rulesets I want to use, and specific rules in some rulesets $HOME_NET to any And they work If we could define $HOME_NET or fix its programming link Then changing manually to any would not be necessary THANKS THANKS THANKS Thanks in advance

[Cruise4code]

Update 11212024 Only in true DHCP without a router might there be problems Note I am in DHCP mode, my ISP says its DHCP and IP subject to change Well it doesnt, maybe if they had a problem and had to reassign IPs I am in DHCP mode in opnsense I put my DHCP IP which doesnt change, in opnsense at Intrusion Detection > Administration > settings > Home Networks box Still in DHCP mode, and the rules work, did short testing, will do some more Also if behind a router and in DHCP could put a router Lan IP or IP range here Even if in true DHCP mode, could put IP range here and rules would work Did not know what the box was for, being its name thought it was something with Lan Thank you everyone