OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Taomyn on September 05, 2016, 10:25:30 am

Title: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on September 05, 2016, 10:25:30 am
Hi,

I finally got my fresh install up and running at the weekend and got most of the important things working again, but I'm struggling with a few functions. One of them is the Intrusion Detection service.

When I first got things running I had enabled ID, IPS and Promiscuous mode and after choosing some rulesets, setting them to drop, downloading and enabling them, things still looked ok. However during a quick external test I noticed one of my externally accessible websites was not displaying properly and from experience with my previous firewall I first looked at ID. Under alerts I saw blocks related to my site so I immediately disabled ID and the site worked normally - I planned to come back to this later.

Now I have come back to this, I re-enabled ID in order to track down the issue but I'm no longer seeing any alerts logged and the website display correctly. I restarted the service and the firewall numerous times, and it's still not showing any alerts even after waiting nearly a day which doesn't seem right. So I disabled IPS but left ID enabled and tried again. This time I do see alerts, but only "allowed" for alerts labelled "SURICATA" and nothing else.

Any ideas what else to try? For information, my hardware is running in an Intel based mini-ITX PC, and my Internet connection is an Ethernet fibre connection that I connect to with PPPoE with VLAN. Other things like NAT port forwards and HAProxy all seem to be working pretty well.


*Update: amended subject to highlight that it's not working
Title: Re: Intrusion Detection, not sure it's working
Post by: Taomyn on September 06, 2016, 11:43:33 am
Maybe someone can tell me how to completely reset Intrusion Detection without doing a full reset of the everything?


I'd really like to get this up and running now.
Title: Re: Intrusion Detection, not sure it's working
Post by: Taomyn on September 10, 2016, 01:01:29 pm
Is anyone able to help me here? No matter what I try to do the best I can get is a few alerts, but any attempt to enable blocking simply doesn't appear to be doing anything.
Title: Re: Intrusion Detection, not sure it's working
Post by: zash1958 on September 15, 2016, 04:20:32 pm
Absolutely the same here!

IPS activated      --> no one entry in the alert log, no visible action
IPS de-activated --> lots of entries, but all as allowed

Seems the Suricata or the whole opnsense has a grave bug somewhere
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on September 19, 2016, 12:23:32 am
Some stacked PPPoE combinations seem to not work on Suricata. I don't have a reproducible setup so debugging is very very hard. I've asked upstream once, they haven't heard of the issue, but we're one of the most prominent users of Suricata on FreeBSD so that doesn't mean there's no problem. At this point, I don't know how to progress on this front. What can we do?

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on September 19, 2016, 08:48:09 am
Hmmm, that's not good news. I'm really loathed to now go back to Sophos UTM where at least IPS was working but had other issues I was not happy with.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on September 19, 2016, 09:16:16 am
The only thing it may take to fix this is a real user report here https://redmine.openinfosecfoundation.org/projects

I repeat that we are one of the most prominent users of Suricata IPS (not IDS) on FreeBSD so that if we as a community can't act on the problem it likely won't go away.

I don't have the setup so I am useless here other than encouraging others to step up. :)
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on September 19, 2016, 09:25:12 am
I'll happily add my own comments to someone with better knowledge that can create the ticket describing the issue in a more technical manner than I can. I'm not a firewall expert, just an enthusiast running one.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on September 19, 2016, 09:44:16 am
We just need the following:

A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:

Affected Versions: Suricata 3.1.1 on FreBSD 10.3

expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets

Notes: IDS (pcap mode) can capture packets ok

I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Space on September 20, 2016, 10:44:50 pm
Hi,

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.

is IPS attaching to both interfaces (WAN/LAN) if enabled? Because I tried to setup OPNsense inside a VM (WAN: physical interface passed through into VM, LAN: bridged with host interface) and it did not work -- the VM crashed if I remember correctly. Is that caused by this?

Thanks,

   Space
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on September 21, 2016, 08:11:30 am
Hi Space,

In short: no.

Selecting LAN + WAN means physical devices, not bridging. As long as you don't use a device bridge in the OPNsense config that is fine. The host bridge feature of your VM is underneath the virtual hardware driver.

Make sure you use the Intel e1000 driver in a VM (virtio is shaky), and better yet use the os-intel-em plugin that will be available in 16.7.4 so that it's clear this can't be a driver issue of some sorts.

Suricata 3.1.2 will be out in 16.7.4 as well. If the crash reappears, can we get more info about it?


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on September 29, 2016, 10:24:02 am

Now that I have updated to 16.7.5 etc and have a little more free time, I'm ready to grab the information you need - I just need step-by-step instructions on how to do it as I'm not that familiar with this kind of OS.

We just need the following:

A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:

Affected Versions: Suricata 3.1.1 on FreBSD 10.3

expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets

Notes: IDS (pcap mode) can capture packets ok

I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on October 01, 2016, 04:38:58 pm
Hi Taomyn,

You simply run this from SSH:

# ifconfig

Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").

16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on October 01, 2016, 05:44:46 pm

I PM'd you the info

Hi Taomyn,

You simply run this from SSH:

# ifconfig

Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").

16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on October 14, 2016, 01:49:22 pm
Franco, did you get my PM and log a ticket for it?
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on October 14, 2016, 02:53:36 pm
I got the PM. Did not create a ticket yet. Sorry for the delay.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on October 14, 2016, 03:18:29 pm
I got the PM. Did not create a ticket yet. Sorry for the delay.


No problem, I was more concerned that you didn't receive the information from me and was still waiting.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on October 18, 2016, 11:23:15 pm
The ticket was opened today: https://redmine.openinfosecfoundation.org/issues/1925
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on October 19, 2016, 08:58:11 am
 8)  let me know if you/they require any more info from my setup.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on October 19, 2016, 10:13:34 pm
Will do. Right now, it's more of a technical discussion to locate the actual underlying issue.


Thanks,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on November 03, 2016, 03:31:03 pm
Anything happening about this?
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on November 07, 2016, 07:41:08 am
Progress was slow: we exchanged a few emails and another user here provided trace files on top of the non-working config. We don't have an outlook just yet.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on December 04, 2016, 09:17:16 am
Any news?
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on December 05, 2016, 05:24:52 pm
We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on December 05, 2016, 06:33:27 pm
We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.

So what can I provide you from my setup to hopefully give you what is missing? I'll happily install/config things to get more diagnostics if that would help.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: Taomyn on March 14, 2017, 09:55:57 am
Now that v17 has been out a while, any chance of re-visiting this issue?


Also, can this thread be moved to the v17 sub-forum seeing as it applies to it as well?
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on March 14, 2017, 02:10:47 pm
Moved as requested. A netmap bug with Suricata / FreeBSD 12-CURRENT and another IPsec have priority at the moment.
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: elektroinside on January 09, 2018, 12:10:24 am
Hi guys,

Same issue here, no IDS/IPS on PPPoE.
Is there something I can help with?

I'm on base/kernel 18.1.b, everything up to date.
OPNsense 17.7.11-amd64
FreeBSD 11.1-RELEASE-p2
LibreSSL 2.5.5

Just switched from pfsense a few days ago. Everything looks so much nicer here, the code, the quality, the community, the support. I'm happy I switched. Thank you for all your hard work!
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on January 09, 2018, 08:56:04 am
Hi there,

This issue is still beyond our reach. Suricata now considers Netmap and FreeBSD a first level support tier, although that won't help us if the FreeBSD kernel side is not up to the task, which is the case here.

For the most part it's recommended to run Suricata on the internal networks, not the PPPoE WAN interfaces where this issue does not apply as well. It may require tweaking the HOME_NET setting under the advanced options.


Cheers,
Franco
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: elektroinside on January 09, 2018, 09:45:28 am
Indeed. Well, things are looking good anyway on the LAN side, for now, without any tweakings as per this setup. Hopefully, the kernel will be updated soon or workarounds implemented for this to work properly.

Thanks Franco!
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: elektroinside on January 09, 2018, 11:34:39 am
Also, I wanted to let you know that I am very pleased with OPNsense overall performance.
PPPoE throughput is excellent, despite all the stuff I enabled, which is as follows (at this particular moment):

http://rcs-rds.speedtestcustom.com/result/cd491d20-f527-11e7-b4b3-6bcd532b87bb

The hardware is also new, which was the reason I tried OPNsense (and then permanently switched), as it was the only one working. Once I saw what I needed to see, I'm not looking back to anything.

So, once again, great job and thank you for it!
Title: Re: Intrusion Detection, when enabled IPS not working
Post by: franco on January 10, 2018, 08:42:06 am
Thank you <3