Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: hsing on November 01, 2023, 07:28:33 AM

Title: Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test
Post by: hsing on November 01, 2023, 07:28:33 AM
Hi everyone,
I tried testing the "suricata opnsense.test.rules" from the video (https://www.youtube.com/watch?v=_yIq3GM4gjA&t=905s) at the 15:05 mark. I tested it once before and it worked as expected. However, now with OPNsense 23.7.7_3-amd64, I've noticed that it seems to not block the eicar virus test. I'm wondering if anyone else has encountered the same issue?
Below is the log content:
Code Select
root@OPNsense:/var/log/suricata # tail -f suricata_20231101.log
<173>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="2"] [100106] <Notice> -- This is Suricata version 6.0.15 RELEASE running in SYSTEM mode
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="3"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="4"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="5"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="6"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="7"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="8"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="9"] [100123] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "http", enabling metadata.app-layer
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="10"] [100123] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "tls", enabling metadata.app-layer
<173>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="11"] [100123] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.

Thank you all.
Title: Re: Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test
Post by: Monviech (Cedrik) on November 01, 2023, 10:27:17 AM
It says on the eicar website that HTTP download of the Eicar test file is not provided. That means your source must have been encrypted with SSL/TLS.

Suricata can't look into SSL/TLS encrypted packets, for that you need to set up the Web Proxy feature, for example in transparent mode, with virus scan and SSL/TLS inspection enabled. Or use Zenarmor with SSL/TLS inspection.
Title: Re: Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test
Post by: hsing on November 02, 2023, 03:28:19 AM
Thank you for your response!
However, I have a follow-up question. When you mention "Web Proxy", are you referring to this feature? https://docs.opnsense.org/manual/how-tos/proxytransparent.html
I have followed the setup instructions. How do I know if I have successfully set it up? And how do I implement what you mentioned as "with virus scan and SSL/TLS inspection enabled"?

Thank you very much!
Title: Re: Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test
Post by: Monviech (Cedrik) on November 02, 2023, 10:06:48 AM
Yes that's the right feature.

It needs a CA certificate, and all your devices that use the transparent proxy need to trust that CA certificate (which means you have to import it to all your devices and your browsers)

Then you can install the os-c-icap and os-clamav plugin for example, and setup "Forward Proxy" "Enable ICAP"

It's all in all a bit more involved than just turning on suricata, because the SSL inspection is a complex feature. Also, because it uses port forward rules to localhost in transparent mode, I don't know how it behaves with IPv6. Probably needs IPv6 NAT to the IPv6 localhost too, so that clients cant just use IPv6 to get around the IPv6 proxy.

The port forward rules also have to be device specific, since any device needs the CA certificate, and devices without couldn't communicate with websites anymore because they don't have the right chain of trust.
Title: Re: Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test
Post by: hsing on November 03, 2023, 02:47:32 AM
Thank you for your response; I will attempt to run further tests. I am very grateful. ;D

Additionally, does anyone have experience with writing rules? I need to write and modify rules, particularly to rewrite the content. In practice, it is feasible, but the issue arises when I need to add a new rule of my own; how should I edit the SID? The fact is that arbitrarily creating a SID that does not exceed 2^32 is still possible, but it seems to cause system delays when checking Alerts. When I look at the logs, I don't find any clues, only many messages saying "This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."

rule is as follows:
Code Select
drop http any any -> any any (msg:"OPNsense test eicar virus"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; fast_pattern; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2023110201; rev:1;)
drop http any any -> any any (msg:"OPNsense test-2 eicar virus"; content:"|4F 50 4E 73 65 6E 73 65|"; fast_pattern; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2023110202; rev:1;)
Text only | Text with Images