Good afternoon everyone,
First off, I like the opnsense feel and while it still has a common feel to pfsense, I like the tweaks that have been done to it.
I have a couple of questions about it thought.
I mistakenly thought that the suricata implementation provides intrusion prevention (IPS) services, but it does not. I saw a couple forum hits in that there is some work going on this. I'm just wondering if there is a rough idea of when this will be made available?
Also, in PFSENSE, there is pfblockerng, is this something that could be ported over to opnsense?
Thank you all.
Hi,
We're currently working on a full inline IPS option using suricata and netmap, most of the code is already in GitHub and the 16.1 release will contain the final product.
If you want to test the development version, I can add some notes later today on how to install this (a dev package will be available later this week).
As for pfblockerng, pfSense packages are not compatible with OPNsense and we don't want to include any (new) code from pfSense into our codebase for both licensing issues and lack of code quality.
Is there any particular feature your missing at the moment? You can add urls in the alias feature as well, maybe extending that a bit would solve the missing part as well.
Regards,
Ad
Hi,
We have been working on the Suricata integration further today and I wanted to give you a sneak preview for what is coming in 16.1 and will be available as beta in the next release (15.7.20).
Enabling this new feature will be very easy, just mark the ips option in "Intrusion Detection":
(https://forum.opnsense.org/images/suricata_enable_ips.png)
(Enabling IPS automatically switches the system to use high performance netmap)
The new overview shows the behaviour per rule, enabled/disabled and alert or drop:
(https://forum.opnsense.org/images/suricata_rule_overview.png)
Finally you can choose to change the defaults:
(https://forum.opnsense.org/images/suricata_change_behaviour.png)
I tested it on one of our midrange machines today and have seen throughputs up to 500Mbps using a standard mtu size of 1500 bytes.
** How to install (as of 15.7.20-devel, or using github) **
** SEE BELOW **
Regards,
Ad
Thanks! I might give this a shot. How's the stability so far?
As for the pfblocker item. Using those blacklists was handy, as it would cron update the blacklists so (Spambots, Malware, etc)
It also does deduplication, which I find handy as well. If this is something that could be added, or alternatives, that would be handy.
I think with Suricata being in IPS mode would help alleviate these concerns a lot, as the default rules has dshield, and will help a lot on the security ends of things.
Thank you for your help!
I spend a couple of days testing and so far it's looking great.
The url aliases also support updating (Update Freq. (days)), but probably no de-duplication (not sure though).
Note that the instructions will change once 15.7.20 is out tomorrow. We also talked to the suricata devs briefly and they have a 2.1 release candidate coming out hopefully this week, but we'll test with beta4 for now, it's looking good so far. 2.1 is scheduled for December, so it'll be the default for OPNsense 16.1. :)
Okay, here are the final instructions for testing Suricata IPS on 15.7.20:
# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz
And then it's usable from the GUI. :)
A small blog post can be found here... https://opnsense.org/inline-intrusion-prevention/
Suricata 3.0 release is scheduled for December.
I attempted to run the update via GUI after which I had issues logging in, Chrome gives me
This webpage has a redirect loop
ERR_TOO_MANY_REDIRECTS
IE gives me
CSRF check failed
Figuring it was a cache issue i cleared it but the issue remains. (perhaps this is a cookie issue? I have do not track requests enabled does opnsense respect this if so does it require it thus giving me the error?)
I can view and access the login page but actual redirection to the main panel after entering credentials produces the above errors.
I was more trying this build because I have encountered issues wheren suricata would simply stop and would need to be manually restarted after a few days.
Bug in the dev version with non-root accounts. You can fix it via:
# cd /usr/local/etc/inc
# fetch https://raw.githubusercontent.com/opnsense/core/f9451641bcc2440722afa207dd153ee0db1edb1a/src/etc/inc/authgui.inc
Thanks this worked great! ;D
Ran
# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz
Disabled hardware checksum offloading (the only one I had enabled) and enabled IPS and I dropped all internet traffic from inside my LAN. I did not enabled any DROP rules and only have a small list of enabled rules in suricata itself. My interfaces I monitor on are LAN/WAN
Removing LAN from the monitored interfaces and rebooting did not solve the issue.
What happens when you disable IPS mode?
Quote from: franco on November 30, 2015, 07:52:20 AM
What happens when you disable IPS mode?
The network will come back online after a reboot of the router.
If you disable IPS and only apply, is your network resuming normal operation then or do you need a reboot?
If so, can you post the tail of /var/log/system.log (clog /var/log/system.log), maybe we can find a cause there...
I will get on this as soon as I dont have a network full of people. Probably this weekend.
here ya go It may be worth mentioning that I did some testing and came up with the following.
if WAN & LAN interfaces are selected and IPS mode is enabled the network will die
Disabling IPS and hitting APPLY will NOT bring the network back up. However after disabling IPS rebooting the machine will work.
If WAN is the only interface selected and IPS is enabled the network will DIE
However disabling IPS and hitting APPLY WILL bring the network back up.
This is my read out of the log with both WAN & LAN interfaces selected
AFTER ENABLE IPS
root@Chronos:~ # clog /var/log/system.log
nfigd.py: [bf8b749e-ffe7-4f38-8c0a-db6b39698474] Linkup stopping re1
Dec 5 10:20:17 Chronos kernel: re0: link state changed to DOWN
Dec 5 10:20:17 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Dec 5 10:20:19 Chronos kernel: re1: link state changed to UP
Dec 5 10:20:20 Chronos kernel: re0: link state changed to UP
Dec 5 10:20:20 Chronos configd.py: [eaef7faf-4609-43fd-86a8-5093774a3f75] get suricata daemon status
Dec 5 10:20:21 Chronos opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 100.3.220.1.
Dec 5 10:20:21 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup stop re0'
Dec 5 10:20:21 Chronos configd.py: [bdf42287-a538-4aae-bf21-218168b9173a] Linkup stopping re0
Dec 5 10:20:21 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Dec 5 10:20:24 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re1'
Dec 5 10:20:24 Chronos configd.py: [7bfb8f1a-175f-47cd-acf0-8ffa78d48735] Linkup starting re1
Dec 5 10:20:24 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Dec 5 10:20:24 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Dec 5 10:20:24 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting re1.
Dec 5 10:20:24 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: on (IP address: 100.3.220.149) (interface: WAN[wan]) (real interface: re1).
Dec 5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.8.8' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.8.8 fib 0: not in table'
Dec 5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.4.4' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.4.4 fib 0: not in table'
Dec 5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: remove current default route to 100.3.220.1
Dec 5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting default route to 100.3.220.1
Dec 5 10:20:27 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec 5 10:20:27 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:20:29 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec 5 10:20:29 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:20:30 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec 5 10:20:31 Chronos opnsense: /usr/local/etc/rc.newwanip: Creating rrd update script
Dec 5 10:20:33 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv4 gateway for interface (lan).
Dec 5 10:20:33 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv6 gateway for interface(lan).
Dec 5 10:20:33 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re1
Dec 5 10:20:35 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: remove current default route to 100.3.220.1
Dec 5 10:20:35 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: setting default route to 100.3.220.1
Dec 5 10:20:39 Chronos configd.py: [de34460f-45dc-4b75-9f58-f732535b5fe2] updating dyndns wan
Dec 5 10:20:40 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec 5 10:20:40 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:20:41 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec 5 10:20:41 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:20:42 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec 5 10:20:43 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re0'
Dec 5 10:20:43 Chronos configd.py: [e7d22f9c-ff29-4914-9077-93b74a42be07] Linkup starting re0
Dec 5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Dec 5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Dec 5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re0
Dec 5 10:20:50 Chronos configd.py: [0a6f8996-927b-4006-b4e2-3bd42dd79fc2] updating dyndns lan
AFTER REBOOT (IPS ENABLED) Still no network
: re0: link state changed to DOWN
Dec 5 10:24:35 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Dec 5 10:24:37 Chronos kernel: re1: link state changed to UP
Dec 5 10:24:38 Chronos kernel: re0: link state changed to UP
Dec 5 10:24:39 Chronos opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 100.3.220.1.
Dec 5 10:24:39 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup stop re0'
Dec 5 10:24:39 Chronos configd.py: [f47916a1-60ce-49fd-baaf-ea4d938f179b] Linkup stopping re0
Dec 5 10:24:39 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Dec 5 10:24:42 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re1'
Dec 5 10:24:42 Chronos configd.py: [e1d12024-08f7-4cc8-9cd8-c6a031a98914] Linkup starting re1
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting re1.
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: on (IP address: 100.3.220.149) (interface: WAN[wan]) (real interface: re1).
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.8.8' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.8.8 fib 0: not in table'
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.4.4' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.4.4 fib 0: not in table'
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: remove current default route to 100.3.220.1
Dec 5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting default route to 100.3.220.1
Dec 5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec 5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec 5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:24:46 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec 5 10:24:47 Chronos opnsense: /usr/local/etc/rc.newwanip: Creating rrd update script
Dec 5 10:24:49 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv4 gateway for interface (lan).
Dec 5 10:24:49 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv6 gateway for interface(lan).
Dec 5 10:24:50 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re1
Dec 5 10:24:52 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: remove current default route to 100.3.220.1
Dec 5 10:24:52 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: setting default route to 100.3.220.1
Dec 5 10:24:56 Chronos configd.py: [33ed9463-5f3d-4417-8c3b-3f915f99f91d] updating dyndns wan
Dec 5 10:24:56 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec 5 10:24:56 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:24:58 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec 5 10:24:58 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec 5 10:24:59 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec 5 10:25:00 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re0'
Dec 5 10:25:00 Chronos configd.py: [51bb405a-3565-4042-83c9-c1b42b671a32] Linkup starting re0
Dec 5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Dec 5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Dec 5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re0
Dec 5 10:25:06 Chronos configd.py: [c9a4231e-bf66-40f7-b68b-4acbbd7c405b] updating dyndns lan
Dec 5 10:25:10 Chronos sshd[56193]: Accepted keyboard-interactive/pam for root from 10.0.128.106 port 55662 ssh2
Dec 5 10:25:10 Chronos sshlockout[71074]: sshlockout/webConfigurator v3.0 starting up
It might be driver/netmap related, but I don't have a similar situation over here using the same hardware to test.
On my end (with intel cards) it works, also with both interfaces selected.
Maybe your issue is solved with FreeBSD 10.2, which will be available some time later, but is already available for testing:
# opnsense -kr 10.2
Last tip, it's better not to include both lan and wan into your IPS setup, it should work, but it's probably not very necessary.
Small heads-up: the Suricata 3.0RC3 package is available and must be installed for 15.7.22 development or higher to work correctly:
(AMD64 ONLY)
# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz
RC3 is out, snapshots available, see above. :)
http://suricata-ids.org/2015/12/21/suricata-3-0rc3-available/
One of the suricata devs has said that RC3 is the last one before the release... Either way, we are shipping RC3 or 3.0 release with 16.1.
https://twitter.com/inliniac/status/684424708448759810
Ladies and Gentlemen, get ready.
so excited!
It would be great if we could tune suricata.yaml from the GUI.
Per example, the logs are spammed with "SURICATA IPv4 invalid checksum" alerts, so we need to turn that check off in the config.
Hi interfaSys,
You should be able to disable the alerts in the alert tab, just search for the rule and click the disable button on the right. Or isn't that what your looking for?
The suricata package installs some rules by default (like decoder-events.rules), maybe we should include these in the settings as well so you can disable them completely.
Regards,
Ad
Actually, I'm looking for something different. If I turn off the source, I will disable all the rules it contains if I'm not mistaken.
The Suricata FAQ (https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions) mentions a "stream.checksum_valdation" setting which should be set to no.
I'm thinking there may be other interesting "tunables" in suricata.yaml
Actually, re-reading that FAQ, it seems it's for something unrelated.... I do also have
tcp.invalid_checksum | Total | 315
in my logs though, but that might not be that important and disabling the rule is probably the right thing to do.
Something new. At one point I wanted to turn off IPS and it became impossible to connect to the WAN. Rebooting or halting the system didn't work either.
When physically turning it off, I got more info: The suricata process was stuck. There were lots of pwaits for it, but suricata just wouldn't die.
As it stands, the IPS functionality seems pretty limited if you have more than a simple WAN/LAN setup.
I have
* WAN(phys) + VPN
* LAN(phys) + VLAN1 + VLAN2, etc.
The only interfaces which the IPS can be activated on are WAN and LAN, but there is almost no traffic going through these interfaces.
VPN being a virtual interface, means it cannot be used.
As for LAN, I tried to use it, hoping it would filter all VLANs, but it just breaks the VLANs. They can't connect to their gateways any more.
OK, so after a reboot, the LAN interface is filtering all VLANs and devices can connect to their gateways. It's just annoying that it takes a reboot every time.
Suricata 3.0 has been released, which is great timing for 16.1. We'll include it. This CFT is over, thanks everyone.
http://suricata-ids.org/2016/01/27/suricata-3-0-available/