Text only | Text with Images

OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: guest16807 on November 23, 2017, 10:31:20 PM

Title: Suricata not catching packets on PPPoE WAN
Post by: guest16807 on November 23, 2017, 10:31:20 PM
Hi.
I've setup fresh OPNSense box in Proxmox enviroment.

First problem (in the test phase) was the virtio net driver - it was freezing whole virtual machine when enabling IPS in services. Quicly found on this forum that virtio isn't the best option for Suricata and switched to E1000 driver.

When I went to "production" I've passed thru Intel 82576 as WAN port and set PPPoE creditencials.
Everything works great except Suricata. It seems, that Suricata can't catch packets on PPPoE interface.
In suricata.log I see something like this (and nothing else):
Code Select
23/11/2017 -- 21:23:21 - <Notice> - Signal Received.  Stopping engine.
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1+':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:25:04 - <Notice> - This is Suricata version 4.0.1 RELEASE
23/11/2017 -- 21:25:04 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
I've found old thread in legacy subforum with familiar issue but without any solution (but that was v17.1 with 3.x Suricata installation).

Is there any chance to use IPS on PPPoE WAN interface?


Title: Re: Suricata not catching packets on PPPoE WAN
Post by: nspritz on November 28, 2017, 02:15:32 PM
Same behavior on a Qotom-Q355 appliance using Intel I211-AT (igb2 driver).
Would this be a hardware limitation or just the nature of PPPoE?
Title: Re: Suricata not catching packets on PPPoE WAN
Post by: franco on November 30, 2017, 03:26:24 PM
This is a known limitation of the IPS mode, but not IDS. We suspect somewhere in the FreeBSD kernel:

https://redmine.openinfosecfoundation.org/issues/1925

We've been through some debugging sessions despite the lack of feedback on that particular ticket, but have found no conclusive answer as to if and how it could be fixed.


Cheers,
Franco
Title: Re: Suricata not catching packets on PPPoE WAN
Post by: chemlud on November 30, 2017, 04:40:13 PM
@Franco, this ticket is meanwhile closed. Will this ever be functional? Would be crucial to know if there is any IDS/IPS possible with PPPoE in the future. No way to setup Snort on OPNsense, I guess?
Title: Re: Suricata not catching packets on PPPoE WAN
Post by: AdSchellevis on November 30, 2017, 08:20:32 PM
It's a limitation of netmap,  neither suricata or snort (by my knowledge) are capable of decoding the ppp packets it will receive on the physical interface. IDS mode captures the packets on the virtual interface (after decapsulation).

If you're not running any services on the network interface which is encapsulated, you could consider enabling ips on your internal interfaces (which also matches most of the rules better, because of nat reasons).
A solution with divert sockets might work in theory, but is pretty cpu intensive.

Cheers,

Ad
Text only | Text with Images