rules do not work

[Cruise4code]

After much testing, I have found the rules in the suricata rulesets not working
Neither the blocklists, nor regular rules

Quick fast forward
the solution was to change $HOME_NET in all rules to any
Blocklists started working
Regular rules started working
In the last three versions

I first wanted to change the suricata yaml and enter my IP
Not possible because on reboot reverts back
$HOME_NET in suricata is either your IP or IP range
$EXTERNAL_NET in my case does not need to be modified,
because it is assumed to mean any unless written in as something else, ie lan IP or something
protecting a network or such
Both $HOME_NET and $EXTERNAL_NET are to be hard coded into the suricata yaml
When we set up suricata
We have no way to do that
There is no where to enter your IP and have it applied to suricata

When I changed $HOME_NET in the blocklists to any
They start working, thousands of hits, yes legitimate because I am also comparing them to the pcaps
I am attacked every 5 seconds on average at idle, no browser or apps open
All spoofed IPs, many are on the ET blocklists, which were not working
Nothing is supposed to be hitting me but regular router exchange

When I change $HOME_NET to any in the regular rules, not rulesets,
I get a rule hit about every 20 to 30 minutes when I changed $HOME_NET to any
Nothing before the change
And the blocklists I got 2000 hits in 3 hours this morning
Nothing before the change

If you make a user defined rule and go to the file and look at it
It says any -> any any which is depending on direction you specified
$HOME_NET or $EXTERNAL_NET
The user defined rule does not say $HOME_NET or $EXTERNAL_NET
The user defined rule will work
Thank you in advance for opnsense community edition
Thank you for your work

PS
Opnsense allowed me to get on the internet again
One year ago I could not get on the internet for 15 seconds without
Bad guys shutting down my computer and destroying hardware
They destroyed my ISP router
A regular router doesnt stand a chance
You may have seen the news how regular home routers were used to attack cloudflare
Your work is our defense
Much much better and easier than hard coding 100,000 lines of iptables
The bad guys run bots, the global security community knows about them
They constantly attack your computer with thousands of different methods of
getting into your computer, all spoofed IPs, all automated,
Automatically changes IPs, just regular hacker software these days
I hope I have explained enough
Thanks again

[Cruise4code]

Info
I use DHCP and not a static IP
Static IP has a box for input but I am not sure it is applied to suricata
My ISP uses DHCP

[OPNsense-bot]

Thank you for creating an issue.
Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[Cruise4code]

I dont know how to put this in one of your templates

[Cruise4code]

We need access to the suricata yaml for editing
Needs to be defined in yaml
$HOME_NET
$EXTERNAL_NET
$HTTP_SERVERS
$DNS_SERVERS
$SMTP_SERVERS
Thanks

or We have to continue to manually change $HOME_NET to any in all rulesets
Which is done using sftp in command line
sftp lan IP
we get -R the suricata directory called rules
get -R /usr/local/etc/suricata/rules /home/
chmod -R 777 rules
open each ruleset
use search and replace to change each $HOME_NET to any
save
use put -R to put the directory rules back in suricata
put -R /home/rules /usr/local/etc/suricata/
let me know if more information is needed thanks

[Cruise4code]

Thought I might add an easy test
Using sftp to lan IP
sudo sftp lan IP
get the folder 3coresec.rules which is a blocklist
get-R /usr/local/etc/suricata/rules/3coresec.rules /home/ ... to home folder
up one directory and open terminal
sudo chmod -R 777 3coresec.rules
open 3coresec file with notepad or such
the very first rule add 8.8.8.8 at the beginning of the rule inside the brackets and save
upload the file using sftp
put -R /home/3coresec.rules /usr/local/etc/suricata/rules/
go to intrusion detection > administration > rules > click apply
wait 60 seconds for rule reload to complete
from terminal ping 8.8.8.8 for 5 seconds and ctrl c to stop
IPS > Admin > alerts, you will see nothing
go to IPS log file and change box to informational, you will see nothing
This rule nor any rule works becuase it is using $HOME_NET
Now with the file you have in your home directory 3coresec.rules
Change the very first rule with the 8.8.8.8
Change $HOME_NET to any and save
Again use put to place file in suricata rules again, it will overwrite
put -R /home/3coresec.rules /usr/local/etc/suricata/rules/
IPS > admin > rules > click apply wait 60 seconds
ping 8.8.8.8 for 5 seconds
you will see an alert or block in IPS > alerts
you will see alert or block in IPS > logging with box set to informational
it works
Change the rule back to normal
I change in all rulesets I want to use, and specific rules in some rulesets $HOME_NET to any
And they work
If we could define $HOME_NET or fix its programming link
Then changing manually to any would not be necessary
THANKS THANKS THANKS
Thanks in advance