OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: urfin73 on February 01, 2019, 12:25:51 pm
-
Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.
-
Hi,
I can confirm that the file is passed through even if the Alerts state that Action is "blocked".
Best regards,
Space
-
Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.
Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).
I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..
Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)
Greetings,
Tom
EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots
Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..
EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1
-
Blocking facebook using the opnsense.social_media.rules works for me.
Did you disable all nic offloads and reboot?
As the logs show the block the detection seems to work, what does a packet capture show?
-
Hi Abraxxa,
on which interfaces is your IDS listening? WAN or LAN or both?
For me the facebook blocking is not working either but I do not even see alarms for that. On my system IDS is only listening on WAN since LAN/OPT1 are currently monitored by Sensei.
Best regards,
Space
-
LAN which is really re1 with promicious mode because of VLAN tagging.
To get that working I had to disable VLAN hardware filtering in Interfaces / Settings else all packets where sent without a VLAN header.
-
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1
Hello!
Tell me how to install suricata 4.0.5 in opnsense 19.1?
Best Regards/
-
Also, for some reason, disappeared list with action setting (drop/alert) in "Alert info" window. It is not comfortable. Nobody knows how to return?
-
dont work on me too, i have lan, and 3 wans. hyperscan.
-
Same here, the alerts log tries to convince me it was blocked but I can still download it:
2019-02-13T21:54:45.157026+0100 blocked LAN 213.211.198.62 80 192.168.1.101 57486 OPNsense test eicar virus
user@linuxvm$ rm -f eicar.com.txt ; wget http://www.eicar.org/download/eicar.com.txt 2>/dev/null ; cat eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
I asked about it in their IRC but I've yet to receive a response.
-
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
-
I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.
-
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.
-
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563 (https://github.com/opnsense/core/issues/3211#issuecomment-462835563)
I haven't tried it myself yet..
Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.
I can confirm that! Thanks for the quick response and great support as usual!
-
Looks like that took everyone by surprise. https://redmine.openinfosecfoundation.org/issues/2811
Workaround will be in 19.1.2. Patch can be applied safely in the meantime:
# opnsense-patch 86957375
Cheers,
Franco
https://github.com/opnsense/core/commit/86957375
-
I applied the patch, but seems not blocking yet.
-
Have you rebooted or at least reapplied your intrusion detections settings?
-
Yes
Enviado desde mi iPhone utilizando Tapatalk
-
Try again on 19.1.2 then...
Cheers,
Franco
-
Yes in this update works. Blocked again.