Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.
Hi,
I can confirm that the file is passed through even if the Alerts state that Action is "blocked".
Best regards,
Space
Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.
Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).
I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..
Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)
Greetings,
Tom
EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots
Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..
EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1
Blocking facebook using the opnsense.social_media.rules works for me.
Did you disable all nic offloads and reboot?
As the logs show the block the detection seems to work, what does a packet capture show?
Hi Abraxxa,
on which interfaces is your IDS listening? WAN or LAN or both?
For me the facebook blocking is not working either but I do not even see alarms for that. On my system IDS is only listening on WAN since LAN/OPT1 are currently monitored by Sensei.
Best regards,
Space
LAN which is really re1 with promicious mode because of VLAN tagging.
To get that working I had to disable VLAN hardware filtering in Interfaces / Settings else all packets where sent without a VLAN header.
Quote from: trigger_hippie on February 02, 2019, 02:47:54 AM
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1
Hello!
Tell me how to install suricata 4.0.5 in opnsense 19.1?
Best Regards/
Also, for some reason, disappeared list with action setting (drop/alert) in "Alert info" window. It is not comfortable. Nobody knows how to return?
dont work on me too, i have lan, and 3 wans. hyperscan.
Same here, the alerts log tries to convince me it was blocked but I can still download it:
2019-02-13T21:54:45.157026+0100 blocked LAN 213.211.198.62 80 192.168.1.101 57486 OPNsense test eicar virus
user@linuxvm$ rm -f eicar.com.txt ; wget http://www.eicar.org/download/eicar.com.txt 2>/dev/null ; cat eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
I asked about it in their IRC but I've yet to receive a response.
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.
Quote from: trigger_hippie on February 14, 2019, 08:29:22 AM
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.
Quote from: Sahbi on February 14, 2019, 08:32:26 PM
Quote from: trigger_hippie on February 14, 2019, 08:29:22 AM
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.
I can confirm that! Thanks for the quick response and great support as usual!
Looks like that took everyone by surprise. https://redmine.openinfosecfoundation.org/issues/2811
Workaround will be in 19.1.2. Patch can be applied safely in the meantime:
# opnsense-patch 86957375
Cheers,
Franco
https://github.com/opnsense/core/commit/86957375
I applied the patch, but seems not blocking yet.
Have you rebooted or at least reapplied your intrusion detections settings?
Yes
Enviado desde mi iPhone utilizando Tapatalk
Try again on 19.1.2 then...
Cheers,
Franco
Yes in this update works. Blocked again.