OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: sjjh on December 21, 2019, 08:47:28 pm
-
Hi! Running OPNsense 19.7.8-amd64. I tried to set up Suricata as IPS for our network by following the how-to in the manual: https://docs.opnsense.org/manual/how-tos/ips-feodo.html But it doesn't drop packages, e.g. I can download the eicar test virus although I enabled the OPNsense test rule to drop it. All hardware offloading (including for VLANs) is turned off. See screenshots below for the config (in German unfortunately) and a log except. What did I do wrong? I did add the public IP address of OPNsense to the home networks setting, not sure if that is correct. I used the WAN interface (as stated in the how-to) although I read sometimes I shall use the parent interface of the VLAN interfaces, bot sure if that is correct either. Any help is appreciated, feel free to ask for additional information if I forgot something. Thanks in advance! Simon
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_0.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_1.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_2.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_3.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_4.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_administration_5.png)
(http://www.muenster.de/~simonh/opnsense/ips/ips_log.png)
-
If your wan interface is pppoe, which is most common in Germany, it's not going to work. Switch to the lan interface if possible.
Gesendet von meinem MI 9 mit Tapatalk
-
Thanks for your reply. We're not using PPPOE, but a static IPv4 fiber interface, see attached screenshot. Any other idea what I did wrong? :)
(http://www.muenster.de/~simonh/opnsense/ips/wan_interface.png)
-
Got it, so PPPoE is not the problem here. You mentioned that your WAN Interface is a VLAN. Did you try to run suricata on the parent interface? It may be worth a try.
-
Sorry, I expressed myself there badly. The WAN interface is not using a VLAN, but all the LAN interfaces use VLANs.
(BTW there's no parent interface to select, if I understand that term right. The drop-down list only shows the WAN, LAN, and different VLAN interfaces. No (physical) interfaces like OPT1, OPT2, em0, ix0, egb0, re0, re1, ... are part of the drop-down menu.)
Simon
-
Does anybody else have an idea what the problem might be?
Simon
-
Hello,
From my brief testing at home where IPS is working:
I would first remove the external IP from list of local addresses. I added my external address and filtering stopped working right away.
Also, simply removing the address and clicking Apply was not enough to get the system to block again. I had to fully stop and restart the service to get the system blocking again.
hth.
-
Thanks for your reply.
I would first remove the external IP from list of local addresses. I added my external address and filtering stopped working right away.
I removed it, restarted the service (and because of some ICAP errors the whole appliance in the end), but unfortunately still don't see any log entries showing that the eicar test file gets blocked... What else should I check?
-
I don't really understand why PPPOE isn't supported, because Suricata's page states the following:
Protocol parsers
Support for packet decoding of
IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN
App layer decoding of:
HTTP, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP
New protocols developed in the Rust language, for safe and fast decoding.
-
afaik and iirc it has to do with lousy support of PPPoE in *BSD...
-
in IDS mode it's supported, in IPS mode it isn't, which is also explained here https://forum.opnsense.org/index.php?PHPSESSID=afau4ff0t2ekoe65moq67kacu8&topic=9741.msg64178#msg64178.
We rely on physical interfaces to support IPS mode, ppp type interfaces are virtual. When capturing the physical interface on top, most rules (highly) likely won't match.
Best regards,
Ad
-
Please note once again that we're *not* using PPPoE.[1] So the mistake must be somewhere else?
Simon
[1]If I'm bot getting something completely wrong...
-
I'm not sure, but I somehow think your are testing wrong ;). You expect the eicar test virus to kick in, but that's not what IPS does, this requires AV to be setup in terms of using the proxy and so on.
For IPS you might consider the SHA-1 cert fingerprint test. I just added facebook's current cert fingerprint with an alarm. An then - with a fresh client, who has not yet cached the cert - you can surf on facebook and the log shows the alarm appearing (just let it run for some days with all your clients in the net surfing to facebook). That worked for me and proved it working.
Else my setup is pretty close to yours, just that I'm not using "Promiscues Mode", so that flag is deactivated as I had trouble with my network card ignoring some data when this was hooked.
-
Thanks for your reply. I'm sorry, I'm not sure if I get you correctly. What do you mean with
You expect the eicar test virus to kick in, but that's not what IPS does, ...
I did activate the OPNsense icar test rule from https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules as you can see in the screen shots below:
(https://imgur.com/ID25JVD)
(https://imgur.com/hvjW5RJ)
Are you saying, that this rule shouldn't block the ICAR test virus? What else shall it do?
-
Ah, sorry, you are right, there is bunch of new rules in the new version, which I haven't seen yet. I also downloaded and installed the test rules now, I did not prevent the access, but I moved it to "Alarm".
The content of the testrule is very limited:
opnsense.test.rules
drop http any any -> any any (msg:"OPNsense test eicar virus"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; fast_pattern; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:7999999; rev:1;)
So I'll follow your test and report back. Have you considered deactivating the "Promiscues Mode" for testing?
-
@sjjh I have tested it now for some days with different constellations and I can second, this does not work. But I still don't think it's necessarily related to the IDS/IPS setup, I guess it's still about the test. Can anyone prove the OPNsense-eicar-test to be working? I can still see impacts from outside which appear in my log if I'm attacked from outside on WAN (see attached screenshot). But I cannot trigger eicar download prevention either.
I'll read more into surricata and rules generation and will create my own rule, as I think it's somehow related to the fingerprint within the test. But this is just an assumption.
-
there you go, easy eicar test, always works on all of our setups with our eicar test rule enabled (from a unix/linux host behind the firewall):
curl http://www.eicar.org/download/eicar.com
remember to download eicar over http, the rule doesn't match encrypted traffic :)
[https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1]
-
Thank you very much for sharing this @AdSchellevis, this gives way more input and I can immediately prove it's working. I've tested opening your URL in the browser on two different clients (iPhone Safari and in Linux Chromium) as you can see on the screenshot.
PS: There is no chance of embedding attached screenshots within my reply, is it?
-
Non-the-less I expected it to behave slightly different, which is explaining the case now. IPS seems to only be triggered by the full separated eicar file - which kind of makes sense as the fingerprint is generated of the whole file, isn't it? But when I open the website, where the eicar-string as such is only included, nothing happens (see screenshot) - and always opening insecure with http of course.