We setup OPNids on a intel nuc and set it up on an isolated network with two other machines. The OPNids is connected to a mirror port. One nuc is running the Damn Vulnerable Web App while the other nuc attacks it. However, no alerts are being triggered with the attacks. Specifically, we want to trigger the “ET WEB_SERVER Script tag in URI possible Cross Site Scripting Attempt” rule from emerging-web_server.rules through the reflected XSS page (sid 2009714 revision 7). Another IDS using suricata was able to flag the attack and we checked that the same rule was enabled.
The setup we have done on OPNids is setting up the tap interface on the switch and setting up a management interface to view the console. We turned on suricata and did the rule download/update while enabling all the rulesets. We also tried starting other services like dragonfly mle, beats, and monit but this had no effect. We see the malicious traffic being received when running tcpdump on OPNids. Any ideas?