OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Ciprian on September 22, 2017, 09:54:31 am

Title: [SOLVED] Intrusion Detection stops when selecting an interface group
Post by: Ciprian on September 22, 2017, 09:54:31 am

Hello!

OPNsense ver 7.7.3 (VmWare env. 4 CPU, 4 GB RAM, 20 GB VDisk)

When using IDS, selecting a group of interfaces (AllInternal) causes the IDS service to stop. The only way to start the service is to disable IDS, remove the interface group, and restart OPNsense.

I tried everything below without success:

- Remove the interface group, start the service
- Remove the interface group, disable IDS, enable IDS, restart the service
- Remove the interface group, disable IDS, reinstall the IDS package, restart the service
- Remove the interface group, disable IDS, disable all rulesets, reinstall the IDS package, restart the service
- Remove the interface group, disable IDS, disable all rulesets, reinstall the IDS package, from console "reload all services", restart the service

Please, check if the bug can be reproduced, and if it does, will open a bug report on github
Thank you!

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: mimugmail on September 22, 2017, 10:15:40 am

Why don't you select all interfaces you need manually?

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: Ciprian on September 22, 2017, 11:48:20 am

Too many!...  :)

For now, as a workaround, I did select the interfaces one-by-one, but as I configure/ add/ remove internal interfaces on a frequent basis (testing purposes), it would be much easier for me to work with groups in FW/ IPS etc, and only modify the member interfaces in the group.

Thank you for your suggestion.

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: franco on September 22, 2017, 07:50:38 pm

This is funny. It's not a bug, it's a sort of a feature... a combination of:

(a) nobody thought it would be possible to select interface groups in the MVC interface selection
(b) due to (a) nobody wrote code to resolve interface groups to real interfaces

When adding a group, it writes the group name to the suricata interfaces, but the group is not a real interface so it refuses to start.

We could actually make that a feature in the future, would you mind adding a request on GitHub?

https://github.com/opnsense/core/issues


Thank you,
Franco

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: Ciprian on September 25, 2017, 09:38:16 am

Thank you, franco!

I will add the issue on GitHub!

P.S. As well as nobody thought about int groups and nobody wrote code for that, also I, as a user, was never thought of that feature not working, since the possibility exists in the web interface, and the group is listed on the int selection dropdown list. :)

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: franco on September 25, 2017, 11:15:31 pm

Ad who wrote the intrusion detection integration disagreed with resolving the group to real interfaces so as a precaution it has been disabled for 17.7.4 to prevent the service from not starting correctly under these conditions.


Cheers,
Franco

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: Ciprian on September 26, 2017, 09:52:26 am

Yes, franco, I have seen this on the GitHub thread, and the reason is quite logical: not every interface type that can be added to a group is suitable for ID(P)S - like OpenVPN, tinc etc.

Thank you, guys, you're awesome!

Title: Re: [BUG] Intrusion Detection stops when selecting an interface group
Post by: franco on September 26, 2017, 11:22:13 am

No, thank you for the report. :)


Cheers,
Franco