OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: abysscong on September 30, 2020, 08:18:06 am

Title: NOT Work for IPv6
Post by: abysscong on September 30, 2020, 08:18:06 am

Hi all! First of all, I am very grateful to the opnsense software and the community, which brought me a lot of convenience in my work.

Recently I met a problem, having searched for days I haven't found the solution.

In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.

Code: [Select]

alert tls any any -> any any (msg:"test google"; tls_sni; content:"google.com"; nocase; priority:1; sid:51000000; rev:1;)It will drop google.com traffic (IPS mode).

But when it turns to IPv6 network, it doesn't work. (No drop, No log)

Code: [Select]

curl -6 -i https://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
...
I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.

Any hint? Thanks very much!

Title: Re: IPS: Some Suricata rules doesn't work for IPv6
Post by: abysscong on September 30, 2020, 08:28:49 am

It's opnsense 20.7.3 and suricata 5.0.3.
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help :P

Title: Re: IPS: Some Suricata rules doesn't work for IPv6
Post by: mimugmail on September 30, 2020, 09:20:44 am

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

Title: Re: IPS: Some Suricata rules doesn't work for IPv6
Post by: abysscong on September 30, 2020, 03:02:27 pm

Quote from: mimugmail on September 30, 2020, 09:20:44 am

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

Thank you for your reply!
Sure the rule works.

Code: [Select]

curl -4 -i https://google.com

Code: [Select]

blocked LAN_0 10.1.0.40 53838 216.58.209.238 443 test google
Also curl -6 support SNI (reading package is a bit hard in my virtual env, so I use and another way to verify)

Code: [Select]

root@qwe:~# curl -k -I -6 --resolve google.com:443:[2404:6800:4005:810::200e] https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 30 Sep 2020 13:00:20 GMT
expires: Fri, 30 Oct 2020 13:00:20 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

root@qwe:~# curl -k -I -6 --resolve youtube.com:443:[2404:6800:4005:810::200e] https://youtube.com/
HTTP/2 301
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 0
location: https://www.youtube.com/
date: Wed, 30 Sep 2020 13:00:31 GMT
content-type: text/html
server: YouTube Frontend Proxy
x-xss-protection: 0
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"


Title: Re: IPS: Some Suricata rules doesn't work for IPv6
Post by: abysscong on September 30, 2020, 03:19:58 pm

And it doesn't work for HTTP rule either.

Code: [Select]

alert http any any -> any any (msg:"HTTP google"; http.host; content:"google.com"; priority:1; sid:91000001; rev:1;)

Code: [Select]

root@qwe:~# curl -4 -i http://google.com
^C

Code: [Select]

blocked LAN_0 10.1.0.40 38848 216.58.209.238 80 HTTP google

Code: [Select]

root@qwe:~# curl -6 -i http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Sep 2020 13:16:54 GMT
Expires: Fri, 30 Oct 2020 13:16:54 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>



Title: Re: IPS: Some Suricata rules doesn't work for IPv6
Post by: abysscong on October 02, 2020, 10:05:22 am

Anyone solve this problem with me? :)

Title: Re: NOT Work for IPv6
Post by: seed on October 13, 2020, 06:02:06 pm

I experience the same issues. My custom ipv6 suricata block rule does not work either.
What can i do to debug this? May this be some kind of configuration issue.

Title: Re: NOT Work for IPv6
Post by: mimugmail on October 14, 2020, 05:56:15 am

Maybe ask in Suricata Forums top?

Title: Re: NOT Work for IPv6
Post by: seed on October 14, 2020, 09:02:14 pm

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

Title: Re: NOT Work for IPv6
Post by: abysscong on October 17, 2020, 01:40:28 pm

Thanks for your reply and feedback! @mimugmail @seed

Quote from: seed on October 14, 2020, 09:02:14 pm

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

But in my case as you can see, the IPv4 traffic has been successfully blocked, which means the rule was loaded.
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before. :)

Title: Re: NOT Work for IPv6
Post by: abysscong on October 17, 2020, 01:45:38 pm

Quote from: mimugmail on October 14, 2020, 05:56:15 am

Maybe ask in Suricata Forums top?

Thanks! I have had another thread here but perhaps no progress. :P
https://forum.opnsense.org/index.php?topic=19358.0