OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: dieterarn on April 05, 2018, 05:50:47 am

Title: Can't get Intrusion Detection working.
Post by: dieterarn on April 05, 2018, 05:50:47 am

I've been trying, off an on, since 16.x, to get Intrusion Detection working.

alerts don't show much activity but the the moment i turn on IPS i get a completely dead connection. have i been that seriously pwned or have i just messed up something?

I've followed the guides and disabled hardware offloading etc.
I've also disabled all the rulesets:

Description
   
   abuse.ch/Dyre SSL IPBL   not installed          
   abuse.ch/Feodo Tracker   not installed          
   abuse.ch/SSL Fingerprint Blacklist   not installed          
   abuse.ch/SSL IP Blacklist   not installed          
   ET open/botcc   not installed          
   ET open/botcc.portgrouped   not installed          
   ET open/ciarmy   not installed          
   ET open/compromised   not installed          
   ET open/drop   not installed          
   ET open/dshield   not installed          
   ET open/emerging-activex   not installed

still nothing...

the latest alerts say:
2018-04-04T23:25:30.465856-0400   allowed   WAN   ###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:25:27.614650-0400   allowed   WAN   ###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:25:26.016311-0400   allowed   WAN###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:21:20.710647-0400   allowed   WAN   ###.###.###.### 22589   ###.###.###.###   23   SURICATA TCPv4 invalid checksum

I run opnsense as a virtual machine using to vitual bridges to connected to it. one is a dedicated physical interface for the wan and the other is the a vitual bridge to the lan. The Host is proxmox.

Title: Re: Can't get Intrusion Detection working.
Post by: elektroinside on April 05, 2018, 06:20:03 am

Follow this tutorial and you will get your IDPS up and running:
https://forum.opnsense.org/index.php?topic=6893.0

It's not updated, but I hope you'll manage to find the options which were modified in the GUI.

Title: Re: Can't get Intrusion Detection working.
Post by: dieterarn on April 08, 2018, 02:01:44 am

1st of: opps i should do a better job of googling next time - sorry & thanks   :-[

I was following your guide: i got to part 4 - ids and ips, and noticed that i only put WAN in my interfaces list.

after including LAN & enabling IPS & applying i lost all connection to the internet AND the admin web interface. the result is instantaneous. I had to drop into the virtual console and restore settings from backup. as you probably know - once you restore settings opnsense recommends that you reboot the router. when i did that i got the screen shown in the included attachment - it looks like suricata is complaining. googling the error i get these hits:

https://forum.pfsense.org/index.php?topic=98787.0 (https://forum.pfsense.org/index.php?topic=98787.0)
https://redmine.openinfosecfoundation.org/issues/1496 (https://redmine.openinfosecfoundation.org/issues/1496)

so that's just suricata complaining that syslog wasn't enabled.

i went and turned it on... the internet still breaks the instant i enable IPS...

in your debug area you say to set all rules to alreat - i double checked and found that i had 1 drop rule:
 Signature Id   2210057
Classtype   protocol-command-decode
Message           SURICATA STREAM 3way handshake toclient data injection suspected