OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Julien on November 15, 2018, 11:42:55 pm

Title: IDS 18.7.7 keeps stoping
Post by: Julien on November 15, 2018, 11:42:55 pm

Dear All,
Today we have updated one box ( physical box ) to OPNsense 18.7.7-amd64.
We were so Happy with the new IDS version.
however after enabling some of the app detection rules, the Inline Intrusion Prevention System keeps stoping from time to time and have to click on start to manually start it.
on the log File there is nothing there.

please see screenshots.

Thank you

Title: Re: IDS 18.7.7 keeps stoping
Post by: jschellevis on November 16, 2018, 12:23:54 am

Could be an issue with a ruleset.
Some rulesets do not "like" Hyperscan, so you may want to try Aho-Corasick as a pattered matcher.

Title: Re: IDS 18.7.7 keeps stoping
Post by: Julien on November 16, 2018, 12:59:30 am

Thank you for your answer Jos,
Does it matter in the speed using hyper or aho ?
i have changed it now to aho and let see if it keeps on

Title: Re: IDS 18.7.7 keeps stoping
Post by: jschellevis on November 16, 2018, 01:08:51 am

For patern matching hyperscan is faster, but all depends on the rules used.
More information can be found here (mind that the current version of Suricata is more performant that the tested version in this doc): https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/hyperscan-scalability-solution-brief.pdf (https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/hyperscan-scalability-solution-brief.pdf)

Title: Re: IDS 18.7.7 keeps stoping
Post by: Julien on November 16, 2018, 01:13:18 am

We have enabled multiple rules maybe that why it’s way
When they say hyperscan is faster than hypo means faster on scanning the Paterent or internet is faster ?
IDS is remain active after we changed the hyper to hypo thank you Jos

As I understand to hyperscan is better to use the Emerging Threats rules set ?

Title: Re: IDS 18.7.7 keeps stoping
Post by: jschellevis on November 16, 2018, 07:17:35 pm

I am not sure why hyperscan seems to crash with certain rules, should investigate that.. but lacking time.
With the ETOpen/Pro rules it seems to function fine...

Issues could be related to the type and amount of pcre rules, memory exhaustion could be a cause..
As for performance difference, hyperscan only makes sense on pattern matching rules.

Title: Re: IDS 18.7.7 keeps stoping
Post by: tofaz on November 16, 2018, 09:55:15 pm

Hi,

I had the same issue with hyperscan and it was due to a signature parsing issue in the ruleset /etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 519.

You can check in the log what is causing the issue.

I have disabled that rules (I was not using them anyway) and everything is working fine now.

:)

Title: Re: IDS 18.7.7 keeps stoping
Post by: Julien on November 17, 2018, 01:20:07 am

Quote from: jschellevis on November 16, 2018, 07:17:35 pm

I am not sure why hyperscan seems to crash with certain rules, should investigate that.. but lacking time.
With the ETOpen/Pro rules it seems to function fine...

Issues could be related to the type and amount of pcre rules, memory exhaustion could be a cause..
As for performance difference, hyperscan only makes sense on pattern matching rules.

Thank you for your answer Jos,
when you apply to ETOpen /Pro rules i beleive you do mean the payed rules ?
i cannot seem to find those rules at all.
the only ET Rules are

        ET open/botcc              
   ET open/botcc.portgrouped              
   ET open/ciarmy              
   ET open/compromised              
   ET open/drop              
   ET open/dshield              
   ET open/emerging-activex              
   ET open/emerging-attack_response              
   ET open/emerging-chat   2018/11/15 23:18          
   ET open/emerging-current_events              
   ET open/emerging-deleted              
   ET open/emerging-dns              
   ET open/emerging-dos              
   ET open/emerging-exploit              
   ET open/emerging-ftp              
   ET open/emerging-games      
   ET open/emerging-icmp              
   ET open/emerging-icmp_info              
   ET open/emerging-imap              
   ET open/emerging-inappropriate              
   ET open/emerging-info              
   ET open/emerging-malware              
   ET open/emerging-misc              
   ET open/emerging-mobile_malware              
   ET open/emerging-netbios              
   ET open/emerging-p2p      
   ET open/emerging-policy              
   ET open/emerging-pop3              
   ET open/emerging-rpc              
   ET open/emerging-scada              
   ET open/emerging-scan              
   ET open/emerging-shellcode              
   ET open/emerging-smtp              
   ET open/emerging-snmp              
   ET open/emerging-sql              
   ET open/emerging-telnet              
   ET open/emerging-tftp              
   ET open/emerging-trojan              
   ET open/emerging-user_agents              
   ET open/emerging-voip              
   ET open/emerging-web_client              
   ET open/emerging-web_server              
   ET open/emerging-web_specific_apps              
   ET open/emerging-worm   
are you referring to those rules ?

Title: Re: IDS 18.7.7 keeps stoping
Post by: jschellevis on November 17, 2018, 01:27:32 am

Yes that are the ET Open rules, these are free/community rules.
The ET PRO are the commercial rules.

Title: Re: IDS 18.7.7 keeps stoping
Post by: Julien on November 17, 2018, 01:29:02 am

Quote from: jschellevis on November 17, 2018, 01:27:32 am

Yes that are the ET Open rules, these are free/community rules.
The ET PRO are the commercial rules.

Thank you Jos for your support.
i will go ahead and enable those rules and see how stuff is working.
PS : IPS is killing my speed but i am investigating why.