OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Taomyn on September 05, 2016, 10:25:30 am
-
Hi,
I finally got my fresh install up and running at the weekend and got most of the important things working again, but I'm struggling with a few functions. One of them is the Intrusion Detection service.
When I first got things running I had enabled ID, IPS and Promiscuous mode and after choosing some rulesets, setting them to drop, downloading and enabling them, things still looked ok. However during a quick external test I noticed one of my externally accessible websites was not displaying properly and from experience with my previous firewall I first looked at ID. Under alerts I saw blocks related to my site so I immediately disabled ID and the site worked normally - I planned to come back to this later.
Now I have come back to this, I re-enabled ID in order to track down the issue but I'm no longer seeing any alerts logged and the website display correctly. I restarted the service and the firewall numerous times, and it's still not showing any alerts even after waiting nearly a day which doesn't seem right. So I disabled IPS but left ID enabled and tried again. This time I do see alerts, but only "allowed" for alerts labelled "SURICATA" and nothing else.
Any ideas what else to try? For information, my hardware is running in an Intel based mini-ITX PC, and my Internet connection is an Ethernet fibre connection that I connect to with PPPoE with VLAN. Other things like NAT port forwards and HAProxy all seem to be working pretty well.
*Update: amended subject to highlight that it's not working
-
Maybe someone can tell me how to completely reset Intrusion Detection without doing a full reset of the everything?
I'd really like to get this up and running now.
-
Is anyone able to help me here? No matter what I try to do the best I can get is a few alerts, but any attempt to enable blocking simply doesn't appear to be doing anything.
-
Absolutely the same here!
IPS activated --> no one entry in the alert log, no visible action
IPS de-activated --> lots of entries, but all as allowed
Seems the Suricata or the whole opnsense has a grave bug somewhere
-
Some stacked PPPoE combinations seem to not work on Suricata. I don't have a reproducible setup so debugging is very very hard. I've asked upstream once, they haven't heard of the issue, but we're one of the most prominent users of Suricata on FreeBSD so that doesn't mean there's no problem. At this point, I don't know how to progress on this front. What can we do?
The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.
Cheers,
Franco
-
Hmmm, that's not good news. I'm really loathed to now go back to Sophos UTM where at least IPS was working but had other issues I was not happy with.
-
The only thing it may take to fix this is a real user report here https://redmine.openinfosecfoundation.org/projects
I repeat that we are one of the most prominent users of Suricata IPS (not IDS) on FreeBSD so that if we as a community can't act on the problem it likely won't go away.
I don't have the setup so I am useless here other than encouraging others to step up. :)
-
I'll happily add my own comments to someone with better knowledge that can create the ticket describing the issue in a more technical manner than I can. I'm not a firewall expert, just an enthusiast running one.
-
We just need the following:
A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:
Affected Versions: Suricata 3.1.1 on FreBSD 10.3
expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets
Notes: IDS (pcap mode) can capture packets ok
I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?
Cheers,
Franco
-
Hi,
The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.
is IPS attaching to both interfaces (WAN/LAN) if enabled? Because I tried to setup OPNsense inside a VM (WAN: physical interface passed through into VM, LAN: bridged with host interface) and it did not work -- the VM crashed if I remember correctly. Is that caused by this?
Thanks,
Space
-
Hi Space,
In short: no.
Selecting LAN + WAN means physical devices, not bridging. As long as you don't use a device bridge in the OPNsense config that is fine. The host bridge feature of your VM is underneath the virtual hardware driver.
Make sure you use the Intel e1000 driver in a VM (virtio is shaky), and better yet use the os-intel-em plugin that will be available in 16.7.4 so that it's clear this can't be a driver issue of some sorts.
Suricata 3.1.2 will be out in 16.7.4 as well. If the crash reappears, can we get more info about it?
Cheers,
Franco
-
Now that I have updated to 16.7.5 etc and have a little more free time, I'm ready to grab the information you need - I just need step-by-step instructions on how to do it as I'm not that familiar with this kind of OS.
We just need the following:
A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:
Affected Versions: Suricata 3.1.1 on FreBSD 10.3
expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets
Notes: IDS (pcap mode) can capture packets ok
I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?
Cheers,
Franco
-
Hi Taomyn,
You simply run this from SSH:
# ifconfig
Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").
16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.
Cheers,
Franco
-
I PM'd you the info
Hi Taomyn,
You simply run this from SSH:
# ifconfig
Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").
16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.
Cheers,
Franco
-
Franco, did you get my PM and log a ticket for it?
-
I got the PM. Did not create a ticket yet. Sorry for the delay.
-
I got the PM. Did not create a ticket yet. Sorry for the delay.
No problem, I was more concerned that you didn't receive the information from me and was still waiting.
-
The ticket was opened today: https://redmine.openinfosecfoundation.org/issues/1925
-
8) let me know if you/they require any more info from my setup.
-
Will do. Right now, it's more of a technical discussion to locate the actual underlying issue.
Thanks,
Franco
-
Anything happening about this?
-
Progress was slow: we exchanged a few emails and another user here provided trace files on top of the non-working config. We don't have an outlook just yet.
-
Any news?
-
We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.
-
We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.
So what can I provide you from my setup to hopefully give you what is missing? I'll happily install/config things to get more diagnostics if that would help.
-
Now that v17 has been out a while, any chance of re-visiting this issue?
Also, can this thread be moved to the v17 sub-forum seeing as it applies to it as well?
-
Moved as requested. A netmap bug with Suricata / FreeBSD 12-CURRENT and another IPsec have priority at the moment.
-
Hi guys,
Same issue here, no IDS/IPS on PPPoE.
Is there something I can help with?
I'm on base/kernel 18.1.b, everything up to date.
OPNsense 17.7.11-amd64
FreeBSD 11.1-RELEASE-p2
LibreSSL 2.5.5
Just switched from pfsense a few days ago. Everything looks so much nicer here, the code, the quality, the community, the support. I'm happy I switched. Thank you for all your hard work!
-
Hi there,
This issue is still beyond our reach. Suricata now considers Netmap and FreeBSD a first level support tier, although that won't help us if the FreeBSD kernel side is not up to the task, which is the case here.
For the most part it's recommended to run Suricata on the internal networks, not the PPPoE WAN interfaces where this issue does not apply as well. It may require tweaking the HOME_NET setting under the advanced options.
Cheers,
Franco
-
Indeed. Well, things are looking good anyway on the LAN side, for now, without any tweakings as per this setup. Hopefully, the kernel will be updated soon or workarounds implemented for this to work properly.
Thanks Franco!
-
Also, I wanted to let you know that I am very pleased with OPNsense overall performance.
PPPoE throughput is excellent, despite all the stuff I enabled, which is as follows (at this particular moment):
http://rcs-rds.speedtestcustom.com/result/cd491d20-f527-11e7-b4b3-6bcd532b87bb
The hardware is also new, which was the reason I tried OPNsense (and then permanently switched), as it was the only one working. Once I saw what I needed to see, I'm not looking back to anything.
So, once again, great job and thank you for it!
-
Thank you <3