OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: csmall on January 14, 2017, 06:20:54 am

Title: IDPS Issues
Post by: csmall on January 14, 2017, 06:20:54 am

I recently did a fresh installation of the 17.1 beta.

I had a bunch of trouble trying to get ET rulesets to work.

See this thread: https://forum.opnsense.org/index.php?topic=4249.0 (https://forum.opnsense.org/index.php?topic=4249.0)

So I gave up and installed 16.7.13 instead thinking maybe it was a beta issue.

I seem to be having the same sorts of troubles getting ET rules working in 16.7.13.

I tried turning on IDS and IPS with some ET rules enabled but I never see any alerts triggered.

I tried switching the rule to drop traffic instead of alert and that didn't work either. It never changed the rules to drop action.

At that point i logged into a shell found the suricata rules files and moved them to a dir in /tmp. Then I tried to redownload the rules but it didn't work. Finally I found a suricata rules updater script in /tmp and moved that somewhere else as well. After that I was able to run the ruleset downloads again.

This time I only enabled the rulesets from this example:

https://docs.opnsense.org/manual/how-tos/ips-feodo.html (https://docs.opnsense.org/manual/how-tos/ips-feodo.html)

The rules downloaded and when I changed the action to drop all the rules changed to drop like I would expect.

I have yet to see any of these rules to trigger alerts/drops but they may be working and just haven't been triggered.

I hesitate to enable any of the ET rulesets again because frankly they just seem to be broken or so sensitive that they aren't worth working with. Am I missing something?

The user defined rules that I have created to drop GeoIP (countries) is working great. They show in the alerts log as expected.

Any help getting ET rules working would be much appreciated because I am stumped at this point.

Title: Re: IDPS Issues
Post by: csmall on January 14, 2017, 11:22:59 pm

I'm wondering if this is an issue with BSD and Realtek NIC drivers.

The same NIC's seem to work fine with IDS on a Linux based firewall.

Title: Re: IDPS Issues
Post by: franco on January 15, 2017, 05:55:32 pm

Hi there,

Sorry, late to the party. Yes, re(4) drivers are not working well on BSD in general, much less with netmap(4) that is used for the IPS mode in Suricata.

There are some threads in the forums that document this behaviour.


Cheers,
Franco

Title: Re: IDPS Issues
Post by: csmall on January 15, 2017, 07:31:35 pm

That is too bad. I'd love to continue using opnsense but I'll have to wait until I can replace the hardware with Intel NICs.

 :(

Thanks. Great job on opnsense by the way. Really solid product.