OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: BenKenobi on April 02, 2017, 03:28:52 pm

Title: Suricata - Working or not.
Post by: BenKenobi on April 02, 2017, 03:28:52 pm

Running V17.4 OPNSense, upgraded from 16.7 to 17.1 yesterday, then updated to 17.4, no real issues so far other than intrusion detection.

Suricata service is running but no events are being generated - nothing - so either the internet has become well behaved or somethings not right. I've deliberately port scanned my system from 'outside' and nothing is reported. Re downloading rules makes no difference, I also cannot list the available rules although I can see the configured ones - and .scan is one of those.

I also see this error in syslog when I try to view suricata events - despite me trying to view events it seems to be asking for rules.

02-04-2017   14:08:55   User.Error   xxx.xxx.x.xxx   Apr  2 13:08:55 configd.py: [5e357ad1-56f7-40fd-82de-c2817ddc7a07] Script action failed with Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1 at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 477, in execute     stdout=output_stream, stderr=error_stream)   File "/usr/local/lib/python2.7/subprocess.py", line 541, in check_call     raise CalledProcessError(retcode, cmd) CalledProcessError: Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1


OPNSense is also reporting 'port closed' on scans to ports 135 to 139 - I'd rather it didn't report anything but can find no way to stop this response behaviour.

Title: Re: Suricata - Working or not.
Post by: csmall on April 02, 2017, 10:36:17 pm

I and a friend also get no triggered alerts in suricata but do when using suricata and snort on other firewalls like pfsense and ipfire.

I've worked with Franco a bit to try and identify a problem but couldn't.

I can force two rules to trigger but that's it. If I enable the opnsense test rules and go to a site that tries to violate the rule it triggers. If I enable the chat ET rule and connect to freenode irc it triggers and blocks as well.

When I had pfsense and ipfire installed I had ET rules triggered all day and night every day. Mostly drop, dshield, scan and compromised rules.

I get nothing in opnsense. Very confusing and frustrating. I hope someday it works :)

Title: Re: Suricata - Working or not.
Post by: franco on April 03, 2017, 10:57:47 am

ET Open changed something, patch here:

https://github.com/opnsense/core/issues/1516


Cheers,
Franco

Title: Re: Suricata - Working or not.
Post by: csmall on April 04, 2017, 04:35:30 am

franco, is this related to the issue I have with suricata not showing any alerts for ET rules?

Title: Re: Suricata - Working or not.
Post by: Noctur on April 04, 2017, 06:18:45 am

Patch coming or wait for 17.1.5? TIA

Title: Re: Suricata - Working or not.
Post by: csmall on April 05, 2017, 12:58:07 am

I manually added the line to the file like in the bug fix and it didn't change anything for me. I don't fully understand what this line is supposed to fix..

Title: Re: Suricata - Working or not.
Post by: franco on April 05, 2017, 07:02:02 am

# opnsense-patch 5f17abb

It's only to fix parsing the upstream rules correctly after a change they did a few days ago.


Cheers,
Franco

Title: Re: Suricata - Working or not.
Post by: BenKenobi on April 15, 2017, 01:44:44 pm

I've taken some time over the last couple of days to explore the Suricata issue and my conclusion is it doesn't work. I've incorporated the recommendations here and I can at least view the rules etc but I think something else is busted - any ideas where to start looking.

Where do the rulesets come from ? How can they be viewed in detail i.e. what particular byte pattern is being matched.

I configured an internal pFSense system running Suricata and the hopefully the same rulesets and the pFSense box is trapping far more even after the OPNSense box - which if OPNSense was working it shouldn't do since I've selected 'enable IPS mode' as an option in OPNSense - block traffic - there is no option for how long to block and no list of what is currently blocked.

Some work needed on this plugin I think - if I knew where to start I may have a go myself - how do you go about this - clearly I don't want to use my internet facing firewall as a test lab ...

Title: Re: Suricata - Working or not.
Post by: csmall on April 15, 2017, 02:22:26 pm

I agree. It has never worked for me but it works on pfsense.

If I use pfsense with suricata and ET rules I trigger rules all day and night.

If I use ipfire with snort and ET rules, the same rules trigger all day and night.

I get literally nothing in OPNsense, except the built in annoying suricata rules.

A friend of mine has the same results on totally different hardware.

Title: Re: Suricata - Working or not.
Post by: rgo on April 15, 2017, 05:34:03 pm

For me on test hardware I am using with 17.1.4 opnsense.  Suricata work correctly like it works on pfSense on a IPv4 only WAN, but when I setup WAN for both IPv4 & IPv6 suricata with IDS check then IPv6 drops off on WAN and IPv4 keeps working on WAN...and suricata dose block just like pfSense but with out IPv6.  This was the same in 17.1.3 and 17.1.2 version of opnsense.

I have been able to make suricata work but, the scope is not the full range it should be working in.