[SOLVED] Intrusion Detection stops when selecting an interface group

[Ciprian]

Hello!

OPNsense ver 7.7.3 (VmWare env. 4 CPU, 4 GB RAM, 20 GB VDisk)

When using IDS, selecting a group of interfaces (AllInternal) causes the IDS service to stop. The only way to start the service is to disable IDS, remove the interface group, and restart OPNsense.

I tried everything below without success:

- Remove the interface group, start the service
- Remove the interface group, disable IDS, enable IDS, restart the service
- Remove the interface group, disable IDS, reinstall the IDS package, restart the service
- Remove the interface group, disable IDS, disable all rulesets, reinstall the IDS package, restart the service
- Remove the interface group, disable IDS, disable all rulesets, reinstall the IDS package, from console "reload all services", restart the service

Please, check if the bug can be reproduced, and if it does, will open a bug report on github
Thank you!

[mimugmail]

Why don't you select all interfaces you need manually?

[Ciprian]

Too many!... 

For now, as a workaround, I did select the interfaces one-by-one, but as I configure/ add/ remove internal interfaces on a frequent basis (testing purposes), it would be much easier for me to work with groups in FW/ IPS etc, and only modify the member interfaces in the group.

Thank you for your suggestion.

[franco]

This is funny. It's not a bug, it's a sort of a feature... a combination of:

(a) nobody thought it would be possible to select interface groups in the MVC interface selection
(b) due to (a) nobody wrote code to resolve interface groups to real interfaces

When adding a group, it writes the group name to the suricata interfaces, but the group is not a real interface so it refuses to start.

We could actually make that a feature in the future, would you mind adding a request on GitHub?

https://github.com/opnsense/core/issues


Thank you,
Franco

[Ciprian]

Thank you, franco!

I will add the issue on GitHub!

P.S. As well as nobody thought about int groups and nobody wrote code for that, also I, as a user, was never thought of that feature not working, since the possibility exists in the web interface, and the group is listed on the int selection dropdown list.

[franco]

Ad who wrote the intrusion detection integration disagreed with resolving the group to real interfaces so as a precaution it has been disabled for 17.7.4 to prevent the service from not starting correctly under these conditions.


Cheers,
Franco

[Ciprian]

Yes, franco, I have seen this on the GitHub thread, and the reason is quite logical: not every interface type that can be added to a group is suitable for ID(P)S - like OpenVPN, tinc etc.

Thank you, guys, you're awesome!

[franco]

No, thank you for the report.


Cheers,
Franco