OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: xmichielx on March 08, 2018, 11:23:21 am

Title: question about Suricata syslog
Post by: xmichielx on March 08, 2018, 11:23:21 am

Hi,

I am using the latest OPNsense (18.1.3 on APU2) which works fine with Suricata.
I am using the IDS and not the IPS modus, I just want to have logging and that logging sent remotely to a rsyslog server.
I see alerts in the Alerts tab and I have set up rsyslog and selected Everything to be send to the rsyslog server.
On the rsyslog server I see a lot of firewall traffic but no suricata alerts coming through although I see them in the appearing in the Alerts.
Are alerts only logged when you use the IPS and set rules to drop? (which I don't want)

Title: Re: question about Suricata syslog
Post by: franco on March 14, 2018, 06:13:01 pm

Hi there,

Local syslog is fully functional in 18.1.4 now, but selective remote syslog must still be implemented but it shouldn't take too long.

But I think you can already send all logs to a remote location and do the filtering afterwards.


Cheers,
Franco

Title: Re: question about Suricata syslog
Post by: nines on March 15, 2018, 04:53:46 pm

Hi Franco,

I'cant confirm syslog is working correctly as stated here:
https://forum.opnsense.org/index.php?topic=7402.15

There are still IPS alerts not shown in the local syslog nor in the remote destination - they only appear in eve.json unfortunately

Title: Re: question about Suricata syslog
Post by: xmichielx on October 11, 2018, 04:43:33 pm

Small necro bump but this still occurs, for example I have these 2 entries (OPNsense 18.7.4 AMD64):

2018-10-11T15:08:06.596797+0200   blocked   LAN   118.123.15.142   52566   192.168.1.25   22   ET SCAN Potential SSH Scan   
2018-10-11T15:03:13.485746+0200   blocked   LAN   192.168.1.116   47408   62.112.238.55   80   ET TROJAN Zberp receiving conf..

Which I find back in my syslog file on the remote syslog server;

root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22

When I search for the TROJAN entry:

root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0

So the TROJAN entry never entered the rsyslog server..which is pretty annoying since it is about a potential TROJAN being active on my network, the SSH SCAN noise I could care less for but the TROJAN is very important for me to detect and act upon.
I have set up Monit to alert on found TROJAN, MALWARE, WORM in /var/log/syslog so it would be nice if all Suricata alerts are being sent to the rsyslog server.

Can I troubleshoot this to see why it hasn't been sent?

Title: Re: question about Suricata syslog
Post by: xmichielx on October 12, 2018, 07:06:09 pm

Also created https://github.com/opnsense/core/issues/2809 for this issue not sure if it is a bug or a works as expected.