Can I use my custom rules in Intrusion Detection? I have a few Snort/Suricata rules I wrote that I need to add.
Also, is 'IPS Mode' the same as inline mode. If not, how do I turn on inline mode, or is that on by default?
I am looking to switch over from PFsense because they are dragging their feet on IPS/IDS inline mode.
Thanks in advance.
Hi there,
Inline mode is just a flip of a switch..
- enable IDS
- enable IPS mode
We do have very light custom-rules support from the GUI, but nothing that would fit your ruleset for sure (there's only GeoIP and Fingerprinting in there). An automatic rule-inclusion for a flat file on the disk would probably more suitable for you? Something similar is already done by the proxy server configuration.
If that sounds alright we ask all features to be requested on GitHub by the users themselves for questions, ping-backs, testing and polishing features. It makes for a better result. :)
https://github.com/opnsense/core/issues
Cheers,
Franco
Thanks, I submitted a feature request on GitHub for custom rules.
I see this was picked up. We're currently debating whether or not dropping rules into the existing directory is enough or if we need a custom file hook.
https://github.com/opnsense/core/issues/1219
https://github.com/opnsense/core/pull/1222
Files do need to be copied via SSH/SFTP in any case, but that's easily automated as a plus.
Cheers,
Franco
Pull request was closed, so the official way is to push additional rule files to: /usr/local/etc/suricata/rules/
Quote from: dcol on October 14, 2016, 10:38:51 PM
Thanks, I submitted a feature request on GitHub for custom rules.
Hello @dcol,
Sorry to write you here, but on that other forum I can't write anymore. I read @jwt's response, that ultimatelly Suricata is not a concern for pfSense. Did you tried Suricata on OPNsense, is it working, I mean the inline mode? Also I did not understand what Franco said about importing the rules? Can we import rules from pfsense easilly if I switch to OPNsense?
Thanks
Hi Redyr,
In practice Suricata inline mode works well in most combinations. After all, Suricata 3.0 with netmap(4) mode was released around January this year. We trust them to do good work. :)
We've found a at least two things that don't work as expected, but they apply to FreeBSD as a whole and can be partially worked around. Any other solution based on FreeBSD will run into these issues as well if we cannot address them upstream:
1. em(4) driver has corner cases where netmap(4) mode is unstable. Can be worked around with the intel-em-kmod package or our os-intel-em plugin in OPNsense itself:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212828
2. PPPoE with netmap(4) either partially works or doesn't work at all. Traffic gets passed, but is not visible to Suricata. We're currently tracking this via:
https://redmine.openinfosecfoundation.org/issues/1925
As far as ET-Open rulesets and others go, they are selectable from the GUI. For custom rulesets, files cannot be imported via the GUI, they have to be added via SSH into the respective directory in order to be activated by the service.
Hope that helps.
Cheers,
Franco
Wow, that's the best explanation I had in years. I have this for my hardware http://global.shuttle.com/main/productsSpec?productId=2007
I have that other project installed on it, and both NICs are Intel, but in there are 2 different drivers, one is igb(4) and the other is em(4). If I switch inline mode to igb(4) NIC all is well, but if I try to switch to inline mode for em(4), after a few seconds the internet connection dies, and I cannot access my box anymore. Note that this happens on pfsense, and the only way to recover is the restore a backup restore point.
Actually I'm interested if Suricata 3.1.2 is working in Inline mode, not 3.0, and tell me more about intel-em-kmod package or OPNsense os-intel-em, or be so kind and point me to the right thread, if this was discussed before, I don't want to waste your time. Thanks
P.S. Actually I saw this thread https://forum.opnsense.org/index.php?topic=3630 , so I should understand that because of some bugs in FreeBsd netmap it's not working, or can I use those workarounds you mentioned?
Hi Redyr,
Yes, that sounds like the em(4) issue. Can you dump the following console command for us:
# pciconf -lv em0
It shows the chipset and other information.
In FreeBSD 11.0, there is a patch to make netmap(4) a bit more stable on FreeBSD 11.0:
https://github.com/freebsd/freebsd/commit/7f641c57ed9
But in OPNsense we had to revert another change that came in during 10.2 -> 10.3, which made the mode unstable for a small amount of chipsets, unfortunately chipsets for embedded devices:
https://github.com/opnsense/src/commit/11586afbb7
Since this also applies to 11.0, we searched to replace the em(4) driver, and found that Intel offers a vanilla base driver for FreeBSD, which can be plugged into the system without the need to recompile the kernel. This is now the "intel-em-kmod" package in the FreeBSD ports. The "os-intel-em" plugin we have is just a wrapper around this so you don't have to do the manual configuration in /boot/loader.conf.
Using that driver should also help you get better results in pfSense, yes.
The basic question is why you would think 3.1.2 works any different, I mean yes, Suricata code changed, but the underlying FreeBSD framework did not, and that's where the the issues I mentioned happen.
The original 16.7 upgrade issues thread mentioned this: https://forum.opnsense.org/index.php?topic=3430.0
Note that this happened when we switched from 16.1 to 16.7, which was FreeBSD 10.2 to 10.3 underneath.
Cheers,
Franco
I thought that by fixing this bug #1844: netmap: IPS mode doesn't set 2nd iface in promisc mode (from suricata 3.1.1 changelog) will fix the em(0) issue. Also alot of bugs were fixed also. So something must work better.
Also I saw that you work with free-bsd on suricata ports from here https://www.freshports.org/security/suricata/, and I thought that you did some code fix for BSD plus the New Suricata code, I thought it will be a winning pair, at least maybe it would work better in comparison with what pfSense has. This was my idea.
I didn't know who you were, but sometimes negative publicity is good in a way ( I meant that Chris mentioned a "Franco" from OPNsense, then I knew in which direction to look). Then I opened OPNsense page looked at the changelogs, and I saw the progress on Suricata, meaning 3.1.2 was implemented.
In comparison to the project that I use, I see at least that here you and others are trying to solve Suricata issues, which is important to me. My question in short is, I'm interested to switch to OPNsense, can I enable Suricata Inline mode on both of my NICs, and if the other issues are fixed. I'm not asking you for an ETA, but I want to ask when should I switch in order to not have problems? Should I wait for OPNsense next release in january? I mean I'm willing to wait, in order to not be dissapointed like I am with pfSense.
As requested this is the dump from console (pfsense latest production version) :
[2.3.2-RELEASE][root@prod.test]/root: pciconf -lv em0
em0@pci0:0:31:6: class=0x020000 card=0x00008086 chip=0x15b78086 rev=0x31 hdr=0x00
vendor = 'Intel Corporation'
device = 'Ethernet Connection (2) I219-LM'
class = network
subclass = ethernet
Thanks
Hi!
I use bridge mode (Intel 10G ix0/ix1) in pfSense, inline mode is also not working and crash. At the same time, I use ET RPO rules and syslog(alert) forward. If opnsense can made that stable in the future, I am very glad to use opnsense and request commercial-support.
Hi everfree,
o I honestly don't know anything about ix issues. It may be a driver issue. What kind of crashes are we talking about?
o We do not have a bridge mode from NIC to NIC: we use the full inline mode that you can use in conjunction with all firewall functionality.
o ET Pro rules can be integrated with the addition of a rules file description.
o Syslog support was recently added, but still needs to be added to the forwarding server settings. I expect this to land in 16.7.x the upcoming weeks.
Cheers,
Franco
Hi franco,
o Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
o I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
o Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
o Syslog support was recently added, It's good news.
I have not test opnsense in my productions before, Maybe I can try.
Thanks!
Hi everfree,
> Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
That looks like a driver lockup. I do not think it's fixed, but we could always try the stock intel driver if you want.
> I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
Ok, so you have a LAN and WAN? In that case, IPS is simply enabled on WAN and you have the setup you want.
> Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
Yes, we need to help with the rule description file that needs to be created, Ad recently added a new one, this is really all that's needed dropped into the correct directory:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
> Syslog support was recently added, It's good news.
Still need to work on the remote end as I said, but yes, progress. :)
If you find the time to spin up a test system I'd recommend it. The reliability of Suricata in IPS depends on the quality of the hardware as well. E.g. for Realtek NICs we've given up all hope. And RAM should be plenty, some users reported failures due to Suricata not having enough memory.
Cheers,
Franco
Yes, I'm looking forward to Opnsense development.
For IPS on Intel 10G, I'm expecting that day's coming!
I formerly hoped that opnsense together with suricata will be a good replacement for our boxes (APU) running with pfsense/snort
But until now no working Suricata in IPS mode on this boxes. They have the Realtek networking cards.
IPS in opnsense / suricata no work --> in pfsense/snort perfect ????
Will there be any hope and chance for running stable opnsense/suricata on this APU boxes?
Hi zash,
Realtek NICs are unstable for IPS/netmap mode. It's not fixable.
Note that there is no true IPS mode for snort, it's using a lazy-block list via filter that can leave your data leaked on the first incident anyway. ;)
All in all, I think options for true IPS in FreeBSD are just that: Intel chips.
Cheers,
Franco
OK, I understand.
That means that we got no running opnsense/suricata on all PcEngines APU boxes without Intel NIC's :-(
There ought to be an emulation mode that may yield better results and supposedly works with all drivers. I haven't looked into it, but it would be interesting to see if it can be used instead of the real driver bindings (in case of Realtek anyway). Performance is a lot less, but it could be workable.
At the moment I don't have any time to look into it, but I will try to see if this is a workaround option for "known bad cards". :)
Cheers,
Franco
I try opnsense 16.7.7, It's amazing. I also donate to opnsense, I hope that opnsense can be used for 10G inline mode in my production in the future. :)
I will donate again next month.
Hi everfree,
Wow, thanks for the feedback and donation!
You should watch out for 17.1 with FreeBSD 11.0 underneath. We will have a beta version in November, an RC in January and the release just at the end of January 2017. :)
Cheers,
Franco
Look at that, netmap(4) bug fixed in FreeBSD CURRENT, expecting a swift transition to both 10 and 11.
https://github.com/freebsd/freebsd/commit/c9c991ee76
Great work by sbruno@ and luigi@ for pinning this down.
PS: Already in our repo. ;)
Been a while since I posted here. Just installed the latest OPNsense 17.7 and figured I have a new box, lets try it out. This box is a Supermicro 5018-FTN4 with an 8 core Intel Atom C2758 and i354 Quad NIC.
Setup went great with one static WAN and one LAN subnet. Seems to work fine until I enable IPS inline which kills the internet connection. Seems to work in non inline mode (IPS unchecked). Also noticed that when IPS is selected, Unbound DNS service keeps restarting. I just used all the default settings in IDS except I tried to use Hyperscan and that didn't work either.
One more note, tried Suricata inline using PFsense on this new box and it also didn't work. But the internet connection was ok, just no alerts. I also tried a known tested Intel i210T1 NIC on the WAN and it still didn't work.
Any suggestions?