OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: elektroinside on January 12, 2018, 04:01:31 pm

Title: Windows Updates
Post by: elektroinside on January 12, 2018, 04:01:31 pm
One (or more) of the Suricata rules brakes Windows Updates, but I am unable to find which one since there are no "blocked" alerts in the GUI.

Is there some other way to find out?
Title: Re: Windows Updates
Post by: elektroinside on January 12, 2018, 04:18:50 pm
Found some logs in /var/log but it looks like a mirror of the GUI/Alerts..
Title: Re: Windows Updates
Post by: elektroinside on January 12, 2018, 06:40:23 pm
Also, on some machines wua seems to work, some partially work, some don't.
When i say it breaks wua, i mean "check for updates" is returning an error and no other results.

Temporarily disabling IDS/IPS immediately fixes the issue on all machines.
Title: Re: Windows Updates
Post by: bartjsmit on January 12, 2018, 07:32:28 pm
What about wsus?

Bart...
Title: Re: Windows Updates
Post by: elektroinside on January 15, 2018, 05:47:33 pm
I don't have a wsus server at home :)
But after 18.1 stable is out and after some testing, I'm seriously considering to migrate one of my clients to opnsense, where i do have wsus and also a pretty big AD.

I'm still yet to find out what is causing this behavior. At home, i have only 12 clients, but randomly some are failing to even check for updates.

I'll investigate more these days and report back  :)
Title: Re: Windows Updates
Post by: dcol on January 16, 2018, 11:17:58 pm
Funny you should see any issues since all the rules are set to alert by default.
Did you change any rules to drop?

Also, try turning off IPS and then try the updates and look at the alerts it generates.
I may be incorrect, but I think that when using IPS, drops are not logged. They are dropped.
Title: Re: Windows Updates
Post by: elektroinside on January 16, 2018, 11:24:14 pm
All my rules are set to drop (all except the ones i don't want to drop)...
Blocked rules are logged, this is how i usually allow the ones i don't want to drop.

I also noticed that it has some difficulties with RDP as well. I can sometimes connect to clients very fast, sometimes not at all. No dropped alerts for these either.

Disabling IPS fixes this every time..
Title: Re: Windows Updates
Post by: dcol on January 17, 2018, 12:23:59 am
If you leave IDS on and just disable IPS, then you may see the drops in the logs that are causing the issues. Then you can disable those.

Having all your rules set to drop will cause lock ups now and then. I think that is why OPNsense sets all rules to alert by default.

What would be nice is to find a list of 'Must Have' drop rules. Would make a great sticky topic.
Title: Re: Windows Updates
Post by: elektroinside on January 17, 2018, 07:49:44 am
That's strange, IDS alone doesn't block, i've been using suricata for quite some time now, true, always with IPS, not necessarily with OPNsense, but i don't remember having this issue and i don't remember IDS blocking anything without IPS.

If this is true, how can it log blocked traffic if it doesn't block?

Please note that when i said that all my rules are set to block, i did it from the GUI, from the download tab, which doesn't set all the rules to drop (most of them, but not all). And i only get this behavior with Windows Updates and RDP (so far). Everything else i customized and unblocked works perfectly.
Title: Re: Windows Updates
Post by: dcol on January 17, 2018, 03:59:52 pm
For the items that are still being blocked, you still have some drop rules that need to be disabled.
My suggestion was to just stop IPS while leaving IDS enabled then setup a test where you can cause the block then look at the alerts to see which drop rules are being invoked.

My assumption is that you are not seeing the drops in the logs because IPS is on and the packets are dropped before they are logged. I have seen this happen where something is blocked by IPS and there are no drop log entries.
Title: Re: Windows Updates
Post by: elektroinside on January 17, 2018, 05:14:10 pm
Ok, i'll try & report back. Thank you!
Title: Re: Windows Updates
Post by: dcol on January 17, 2018, 06:45:31 pm
By the way, I found 3 rules that affect Windows updates
Here are the sids
1:2221000 # SURICATA HTTP unknown error
1:2221021 # SURICATA HTTP response header invalid
1:2221028 # SURICATA HTTP Host header invalid
Title: Re: Windows Updates
Post by: elektroinside on January 17, 2018, 07:41:43 pm
Yes, i too found these somewhere on the internet and learned that they brake wu. Already set them to 'alert', although didn't have actually alerts from these rules.

Also tried without IPS (attached Screenshot_6.png) and eventually without IDS at all (Screenshot_7.png).

Without IPS, i only had some geoip alerts i have set, absolutely nothing else..

After a few retries (10+), it will work eventually even with IDS/IPS. RDP works almost every time, but without IDS/IPS connections are almost instant, no delays whatsoever. With, i have to wait ~15-20secs to connect, almost times out. RDP as long as it works is fine, even with delays, but windows updates fail most of the time, with an error that suggests something is blocking it. But why is it working after many many retries? Strange...
Title: Re: Windows Updates
Post by: dcol on January 17, 2018, 10:27:49 pm
I just found something that may be helpful. I tried to do an update on a Windows 2016 server and it just hung. No alerts and no indication on why. Then I remembered something from long ago. That computer had the Windows Firewall service disabled. As soon as I enabled it, the updates started. I do have the Firewall State off for Private and Public networks in the Firewall setting page. So, even though the firewall is set to off, you still have to have the service running to get Windows Updates.

try that.
Title: Re: Windows Updates
Post by: elektroinside on January 17, 2018, 10:44:08 pm
Thank you, but i don't think this is my case, my firewalls are always up. I'm a security freak (more or less), my job is security related, i would never turn off my firewalls :) I even sandbox a lot of stuff on my main PCs, virtualize and use various containers to protect stuff.
Also, turning off wf is a very bad idea generally, lots of services will not work (as a rule) in windows without it. Strange thing is that windows logs contain errors usually related to connectivity, certificates, NTP while running wu. I'll dig deeper in the upcoming days...

I really think this is IDS/IPS related, no matter how much i would like it not to be. There are a few bugs related to ids/ips in the repository, who knows, something there might be my issue. It's not the end of the world, but i have to find out what exactly is the problem, as i intend to migrate my clients to opnsense soon. I will start disabling rulesets, narrow things down..
Title: Re: Windows Updates
Post by: elektroinside on January 20, 2018, 11:00:05 am
As it turns out, not all dropped packets are logged.
I have modified suricata.yaml to log all of them.

Setting these sids to 'Alert' fixed my Windows Updates issues:

2023818
2020573

@Franco: may i suggest to revise this part of the suricata config? It will avoid a lot of confusions...
Title: Re: Windows Updates
Post by: franco on January 20, 2018, 08:45:31 pm
Hey elektroinside ,

Thanks for the heads-up! This one should do it? :)

https://github.com/opnsense/core/commit/573612d48


Cheers,
Franco
Title: Re: Windows Updates
Post by: elektroinside on January 20, 2018, 09:29:46 pm
I don't know.. yet :)
Hopefully, it's enough, I'll let you know in a few days, probably enough time to generate lots of packets :)

I am seeing some dropped packets right now, don't remember seeing them before, so it might work :)

Thank you Franco!

Title: Re: Windows Updates
Post by: dcol on January 21, 2018, 09:34:59 pm
I also implemented this change
Can't tell if the change does anything since I also saw blocks before the change.
I take it that eve.json is the IDS alerts list.

elektroinside - I figured the updates problems were rules. Glad you found it. I didn't see it because I do not have those rulesets enabled.
Title: Re: Windows Updates
Post by: elektroinside on January 22, 2018, 07:45:08 am
Figured it had something to do with alerting (the fact that i can't see what is blocked and what is not, from previous experiences with suricata). Also, without this change in the config file, you couldn't see it anyway, even if you had the rule, as it was not logged (dropped silently).

Anyway, it's all good now :-) Thank you both!
Title: Re: Windows Updates
Post by: hutiucip on January 22, 2018, 08:54:28 am
Hey elektroinside ,

Thanks for the heads-up! This one should do it? :)

https://github.com/opnsense/core/commit/573612d48


Cheers,
Franco

And maybe (rather, surely) from now on it is a lot more easy to find the culprit rule(s) or ruleset(s) crippling any other network service.