OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: meschmesch on January 21, 2023, 05:49:16 pm
-
Hello,
for a long time I had suricate with IPS mode running sucessfuly on WAN. Recently I did a check on my system and found out that no alerts were present any more. I removed all rules, installed opnsense.test.rules and did a check with eicar.com.txt (on http!, not https). Eicar was neither reported in IDS nor in IPS mode. I'm on OPNsense 22.7.11, everything up and running.
I have tried any kinds of combinations of settings in Suricata, including changing interfaces, Promiscuous mode, disabling and reanabling Suricata, deleting and reinstalling the opnsense.test.rules, reboot, but no success.
I would appreciate some guidance on how to track down the problem. It seems that from the webinterface of Opnsense alone I won't be succesful. If one of you professionals would take me by the hand and support me, that would be great. Many thanks.
-
Check in suricata administration -> settings -> advanced mode -> home networks that your WAN IP is mentioned in the network ip adresses.
Maybe your WAN ip address has changed at some point and is now missing.
-
I used something like 95.14.0.0/16 in the past which did somehow work. But now even setting the exact WAN address does not provide any hit. On LAN and DMZ are attached to a VLAN, but using Promiscuous mode and the VLAN-Interface does not do anything either. It's like the whole thing is not working. The log only has the usual
ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
-
we have the same problem.
could you fix this problem in you environment?
-
Same here. Waiting for a fix.
-
Hi everyone,
So far, enabling Suricata by following OPNsense tutorial, and many other ones found on the net, just for making I am not missing something, with block rules installed did not work at all. Log is always empty. I'm running latest OPNsense 23.1_6 freshly installed 2 weeks ago.
I really don't look where to look now. :-[
Any clues??
-
Hello,
after playing around I got to the following insights:
- I use a Realtek chipset which may make problems. I have installed the Realtek re(4) vendor driver, but I don't think that does make any difference or have any impact on my machine
- LAN/Guest interfaces are VLAN interfaces which may cause extra trouble with Suricata
- I use Sensei in parallel, which means that there might be problems running both on the same interface. I never disabled Sensei. I (therefore?) failed to run IPS on the LAN interface which is protected. Further, as far as I understood there might be issues running IPS on a VLAN interface (only IDS works?)
My setup which is more or less operating now is that Sensei is protecting LAN/Guest Vlan, while IPS is active only for WAN. Further, I had to use the Aho-Corasick Pattern matcher since it did not work with Hyperscan.
With this setup, I receive alerts. The downside is that anything going out the firewall is always tagged sas originating from the firewall. Thus I cannot identify the local device which is the reason for the alert.
Test
Testing is possible using the EICAR Test File. Unfortunately this is only possible with http and the official EICAR Test page currently does not offer http downloads of the file. I found an alternative at http://www.csm-testcenter.org/test?do=show&subdo=antimalware&test=content_types
Make sure you have the OPNsense-App-detect/test ruleset enabled.
-
Thanks meschmesch
As per your post, I changed the pattern matcher per your suggestion and it solved my problem. Many videos I watched were using Hyper scan. I am now able to scan both LAN and WAN, and I am already having events in my log, one thing I never been able to haveā¦ loll.
I also subscribed to ET Pro Telemetry, and it is working flawlessly now.
Thanks for your help.
Regards.