OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: dcol on December 06, 2017, 05:17:35 pm

Title: IPS blocked, then allowed
Post by: dcol on December 06, 2017, 05:17:35 pm
I have IPS enabled with a custom rule which seems to trigger a block properly.
My issue is, The custom rule triggered a block, then another ET rule that also matched after that blocked the same packet.
Isn't the engine suppose to quit the packet after it matches and not continue through the rules? Is this a setting?
Here is an example of the same packet that triggered two IDS rules. Why? Should't the first one have ended the search? What if one rule is set to block and the other to allow. Which one does it follow?
The second example shows another double hit. The common element here is the User Defined GeoIP block. There must be something wrong with the GeoIP block. I think at this point I will submit a bug report to github.
Title: Re: IPS blocked, then allowed
Post by: dcol on December 08, 2017, 05:39:45 pm
I submitted a bug report to OPNsense git-hub and Suricata. Neither has responded, so far.

According to the Suricata manual, a drop is definitely suppose to end the chain, but in my case it does not. This has happened with many other matching rules as well. Looks like the rules engine processes all packets against every rule in its algorithm. This has to impede performance and stress to netmap.

At this point I am not sure if it is an adjustable setting in the Suricata configuration or a bug.
Title: Re: IPS blocked, then allowed
Post by: dcol on December 12, 2017, 03:53:22 pm
This issue is not an OPNsense issue since the same thing happens in other firewalls using Suricata.
Title: Re: IPS blocked, then allowed
Post by: franco on December 12, 2017, 10:46:08 pm
Hi there,

Do you have a link for future reference where the same behaviour happens on e.g. Linux?


Thanks,
Franco
Title: Re: IPS blocked, then allowed
Post by: dcol on December 12, 2017, 10:48:51 pm
Just tried it on a pfs box with the same results.
Title: Re: IPS blocked, then allowed
Post by: franco on December 12, 2017, 10:58:18 pm
Ah ok, I was hoping for a non-FreeBSD confirmation, but no worries as that is ok too. :)


Cheers,
Franco