OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Trelleboy on March 29, 2020, 01:45:32 am
-
Well I can read there is a lot of confussion about Suricata. My X86 tells me that proofpoint its running - but its not. The other day it told me my vpn was running but it was not - but I will not accept not to have at least tried the IPS running.
Can anyone help me to get the IPS running. Thats why I wanted to the Open sense in the first place.
Im running 20.1.3 on a X86 with a lot of power.
A have tried to test it with eicar, but it seems dead. I have removed all lokal networks and its set to Wan.
One other thing is that telemetry is not autoupdating - but all the others are inside IPS.
-
I have discovered why the WAN interface practically showed no alerts/blocks. There is a note on the OPNsense documentation page for intrusion detection which states that if you are using NAT, which most home users will be doing, that you need to set the WAN interface IP address to the list in “Home network” section of the intrusion detection settings page. You will need to click the “Advanced” button at the top of the page to see this configuration option. It should already have all private IP address space included.
Simply add your WAN IP address. If your WAN address changes, this will need updated. It may be possible to use a dynamic DNS service and put the hostname in the list. I do not know if hostnames are supported but it quite possible it will work. I have found that hostnames will work in places where IP addresses can be entered (like firewall rules and aliases).
THAT works - but dont reboot :-)
-
No, DynDNS names don't work, you get a validation error
please specify a valid network segment or address (IPv4/IPv6)
...
-
I have the same issue. Suricata not running/logging any packets at all.
2020-03-30T13:32:12 suricata[30160]: [101773] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-03-30T13:31:27 suricata[30160]: [101773] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T13:31:27 suricata[30160]: [101773] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T13:31:09 suricata: [101773] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-03-30T13:31:08 suricata: [100952] <Notice> -- This is Suricata version 4.1.7 RELEASE
2020-03-30T13:31:08 suricata[90916]: [100667] <Notice> -- Stats for 'em0+': pkts: 42028, drop: 0 (0.00%), invalid chksum: 0
2020-03-30T13:31:08 suricata[90916]: [100667] <Notice> -- Stats for 'em0': pkts: 42778, drop: 0 (0.00%), invalid chksum: 1
2020-03-30T13:31:08 suricata[90916]: [100667] <Notice> -- Signal Received. Stopping engine.
2020-03-30T13:31:08 suricata[90916]: [100667] <Notice> -- rule reload complete
2020-03-30T13:30:21 suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T13:30:21 suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T13:30:02 suricata[90916]: [100667] <Notice> -- rule reload starting
2020-03-30T12:09:42 suricata[90916]: [100667] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-03-30T12:08:57 suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T12:08:57 suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T12:08:39 suricata: [100667] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-03-30T12:08:38 suricata: [100995] <Notice> -- This is Suricata version 4.1.7 RELEASE
2020-03-30T12:08:38 suricata[69961]: [100712] <Notice> -- Stats for 'em0+': pkts: 770803, drop: 0 (0.00%), invalid chksum: 0
2020-03-30T12:08:38 suricata[69961]: [100712] <Notice> -- Stats for 'em0': pkts: 977361, drop: 0 (0.00%), invalid chksum: 1
I dont have the feel of control like I have in Pfsense regarding the Suricata implementation...
It hurts since I really dont dig the guys behind netgate and I am very fond of opnsense...
-
Hi,
I've probably posted this before, but if your running IDPS on your wan interface and Suricata is active, you're likely using the wrong interface.
The docs (https://docs.opnsense.org/manual/ips.html) explain a bit why you should use ID[P]S pre-nat as well, most rules assume the local network to be visible, which isn't the case when your capturing packets post-nat.
In some (very rare) cases you might want to use your wan interface as home network, in which case you could configure it manually, but since most home networks have dhcp like setups, this often isn't very practical. (the home networks should be static)
Best regards,
Ad
-
Using WAN (em0) and running Inline mode
-
Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...
-
AS of now I have no idea what Suricata is doing at what it finds...
And I cant control what is allowed and whats not.
-
let's agree to disagree, a lot of alerts doesn't really tell a lot about the quality of the setup. Most ET-open/pro rules are quite properly targeted preventing false-positives.
The easiest test, that always works when properly setup is the eicar test over http.
curl http://pkg.opnsense.org/test/eicar.com.txt
https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1
-
It triggers nothing.
-
use lan....
-
Why??
Are Suricata not supposed to be IDS and therefore INtrusion aware? Alerts for what is found to be trying to get in?
And LAN supposed to be what comes from the inside and derived from servers and workstations??
-
Usually you don't accept a lot of inbound traffic on wan (default block), most threats are triggered inside. knowing that someone fired a package to your firewall that would have been blocked anyway, isn't very relevant info either (it's not that you can block it more than you already did).
Since you're behind NAT, a lot of the concept of IDS got lost, since you can't distinct homenet from the big bad outside world. If your in a routed (non nat) environment, you can measure on wan as well, most IDS setups aren't inline anyway, in which case you wouldn't know about wan/lan only see traffic with proper notion of what's inside and outside (defined as HOMENET).
If you can spare some time, it's a good idea to read a bit about the rules of the engine (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html), the first portion of the rule often explains pretty well why "home" is so important (e.g. https://rules.emergingthreats.net/open/suricata-4.0/rules/emerging-exploit.rules)
-
Thank you :)
Reading as we speak...
-
you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.
-
I do also run IPS on WAN interface (put my LAN IP to the Home_NET, WAN is dynamic unfortunately) because it's not possible to run it on the same interface like Sensei. It worked fine, but I note a strange behaviour since version 20.1.3 (or whatever change happened in the meantime).
Before, eicar was detected on eicar.org (http) by the IPS - now it's not. Even not by ClamAV although having a transparent http proxy.
Then, I figured out that there is a strange http redirect behaviour. So the "http" version redirects to https. But unfortunately, it is also not able to detect eicar when I copy and pasted the eicar.org http link directly (Chrome/Firefox/Safari).
Did not further investigate because the test on rexswain.com (eicar blocked by IPS) and wicar.org (eicar blocked by ClamAV) worked. I also put the SHA1 of a known page cert to a custom IPS rule and noted that I get an alert. So I assume it's working.
The http link below does also not work for me in Chrome/Safari as it redirects (sometimes) to HTTPS and Suricata won't block it. But it works in Firefox. Just to keep in mind when you "rely" on such test links. And: It takes time until it's up and really screening/blocking traffic after restarting - even if it's marked "running" in your service monitor. Don't know how many minutes.
The easiest test, that always works when properly setup is the eicar test over http.
curl http://pkg.opnsense.org/test/eicar.com.txt
-
A small question??
Wouldnt it be nice to see alerts in WAN since its IPS as well??
Who is trying to enter your house and with what?
I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??
I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...
-
short version: no, longer version https://docs.opnsense.org/manual/ips.html#choosing-an-interface
-
A small question??
Wouldnt it be nice to see alerts in WAN since its IPS as well??
Who is trying to enter your house and with what?
I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??
I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...
I see alerts from the WAN side of things. I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.
-
I dont see anything on WAN at all...
Its a very different world and GUI from pfsense and I have to get use to that....
I am missing the granular control of things/alerts (small icons next to the alerts)
A small question??
Wouldnt it be nice to see alerts in WAN since its IPS as well??
Who is trying to enter your house and with what?
I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??
I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...
I see alerts from the WAN side of things. I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.
-
Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...
So you are running snart and suricata?
-
you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.
I have been reading and im very confussed.....beacuse everything is running but the TEST is not getting an alert....
I really like some help to set this up in the right way...
-
Well not its triggering the eicar text - BAM :-)
I have a bridge interface. The LAN option was making the system crashing after 5 min - but coosing the interfaces one but one its working OPT1 OPT2 OPT3. But its still the WAN that is blocking. Should I be happy now because it should be the OPT thats blocked? Does it make " open" sense? ::)
2020-04-08T14:03:30.166112+0200 7999999 blocked WAN 212.32.245.132 80 XXXXXXXX 43325 OPNsense test eicar virus
2020-04-08T14:03:30.166112+0200 7999999 blocked WAN 212.32.245.132 80 XXXXXXXX 43325 OPNsense test eicar virus
2020-04-08T13:47:05.100852+0200 2011716 blocked WAN 45.143.220.214 36636 XXXXXXXX 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2020-04-08T13:47:05.100852+0200 2011716 blocked WAN 45.143.220.214 36636 XXXXXXXX 5060 ET SCAN Sipvicious User-Age
-
Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...
So you are running snart and suricata?
The Snort is on a box with PPPoE on WAN, therefore it is still the other "sense"...