Hello, I am new to Opnsense trying to get everything setup. I am hoping someone can give me some troubleshooting tips for the issue I am seeing.
I have configured transparent http/https web proxy and verified when going to https sites my CA is listed as the issuer of the cert and everything shows valid. I have added the "7999999 Drop opnsense.test.rules bad-unknown OPNsense test eicar virus" rule and verified alerts are present when trying to download it at the http link and it is blocked. However when attempting https I am able to download it. There are no alerts present in the ids logs.
I have all interfaces in my IDS configured lan,opt1,opt2,wan
I tried both pattern matchers "hyperscan and aho-corasick". I have also tried promiscuous mode even though I am not using vlan tagging. It should be blocking the file via that same rule when download https right?
Here is my log entry when restarting the ids service:
May 11 23:30:59 suricata: [100159] <Notice> -- all 8 packet processing threads, 4 management threads initialized, engine started. Thanks for any help.
only blocking on 80:
2019-05-11T23:45:41.674353-0400 blocked wan 213.211.198.62 80 34.21.174.42 30170 OPNsense test eicar virus
2019-05-11T23:45:41.674353-0400 blocked wan 213.211.198.62 80 34.21.174.42 30170 OPNsense test eicar virus
I think the plain content is not visible to your IPS - just at your endpoints (client, proxy, server).
In your case, I think you filter WAN and traffic is still encrypted when IPS scans traffic and encrypted again, when leaving proxy to LAN.
If you want to filter HTTPS, you should use a filtering proxy, which is an endpoint and can scan the plain content. Just add c-icap and clamav to your squid. The only place where your HTTPS is terminated and plain visible is inside your proxy process.
Thanks again hbc! I think I understand. Since I am monitoring with the IPS at the WAN, inspection is happening before the traffic is decrypted/encrypted by the web proxy. If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?
In my configuration though I will need to add ICAP/ClamAV to the traffic flow to see this at a later flow in the traffic. I think I get it, is there a nice diagram somewhere like a Visio document on a packet flow throughout the various systems? That would be neat.
I do appreciate the help!
QuoteIf I was only monitoring on the LAN and OPT interfaces, this would not be an issue?
No, the problem would still exist. It is a transparent proxy. The proxy gets encrypted via HTTPS the content of the server, generates a suitable certificate for the client on-the-fly and sends via HTTPS the traffic encrypted to it.
Even when using the proxy explicit (non-transparent), an encrypted CONNECT-Tunnel between client and server would be established and even proxy would not see any cleartext traffic. Encrypted traffic and server authenticated by certificate. That is HTTPS.
Thanks for providing further explanation. That helps!
This website might be helpful for testing https://eicar-test.kusivchi.space/.
It allows to download Eicar file selecting HTTP or HTTPS explicitly.
You can also try IPv4 and IPv6.
IDS/IPS can not see the encrypted traffic from HTTPS, you would need to make a "man in the middle" set up with certificates. It's rather complex and prone to break.