"
Perhaps try a reinstall of the package?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
Intrusion Detection and Prevention / Re: How do I reset Intrusion Detection to install state?
February 19, 2019, 11:04:52 AM #2
Intrusion Detection and Prevention / Re: IDS/IPS rules not working at all
January 25, 2019, 06:27:49 PMQuote from: ex2k3 on January 24, 2019, 09:32:43 PM
the "ERRCODE: SC_ERR_NO_RULES_LOADED(43)" only appears after upgrading to the latest version, before that i saw notifications.
i tried to load different rules, abuse.ch, changed from alert to block, used other rules, test rules, test viruses, nothing.
before i post i did a lot of search in the forums and im not new to this topic, sysadmin since over 20 years now.
im glad for any hint here, next thing im gonna try is waiting for the next version and try a fresh install.
(everything else works fine, i have vpn's running as client, dhcp, nat, you name it.)
only this is giving me hard times, comming from sophos and switching many sites...
Since you're an admin for over 20 years: did you enable the SSH shell and checked the files yourself and see what went wrong via the GUI?
I do agree that there are some bugs (hey its a RC still not stable) after the upgrade for Suricata (there are some other topics about that), but I would check the files themselves on the system and see why your rules that are indeed enabled in the gui are not enabled on the system.
Perhaps post some screenshots that might help us?
#3
Intrusion Detection and Prevention / Re: IPS only shows allowed actions in alerts
January 24, 2019, 06:12:41 PM
try changing the interface that suricata is checking on from wan -> lan since the connection will be made from the lan side.
#4
Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS
January 24, 2019, 06:11:28 PM
I have the same bandwidth and use a PCengines APU2C4, the rulesets that you choose, the scan engine (Hyperscan preferably) and the networks that you have enabled in the HOME_NETWORK/LAN entry do have impact on the IPS performance and how much bandwidth is dropped.
#5
Intrusion Detection and Prevention / Re: IDS/IPS rules not working at all
January 24, 2019, 06:08:34 PMQuote from: ex2k3 on January 23, 2019, 11:13:27 AM
same here:
Jan 19 10:22:47 suricata: [100163] <Notice> -- all 9 packet processing threads, 4 management threads initialized, engine started.
Jan 19 10:22:47 suricata: [100163] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Jan 19 10:22:46 suricata: [100345] <Notice> -- This is Suricata version 4.1.2 RELEASE
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1+': pkts: 1923, drop: 0 (0.00%), invalid chksum: 0
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1': pkts: 3955, drop: 0 (0.00%), invalid chksum: 0
Well the "ERRCODE: SC_ERR_NO_RULES_LOADED(43)" message says a lot.
Did you guys first enabled the ET rules that you want, apply, download new rules (you will see a date behind the ruleset that you've enabled) and then set every ruleset to to action drop (use the edit pencil behind every rule) and then click apply again?
Use Hyperscan for Intel nic's and enable IPS when you want to block.
Enable promiscious if you have VLAN interfaces and don't add VLAN interfaces to the interface list.
I would also add your LAN interface and not the WAN interface (default) if you want to block hosts on the abuse.ch ruleset.
Otherwise show with a printscreen your general and ruleset which are enabled so we can see your settings.
#6
Intrusion Detection and Prevention / Re: Suricata 4.1 better performance then the 4.0 version?
January 09, 2019, 01:25:59 PM
I've noticed not a big difference indeed, I do notice some new flowbit errors:
Not sure if this is an issue but the rest of rules work fine :)
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 4 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Jan 9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs
Not sure if this is an issue but the rest of rules work fine :)
#7
Intrusion Detection and Prevention / Re: Suricata 4.1 better performance then the 4.0 version?
January 08, 2019, 06:48:39 PM
PS, I am still very interested in some results or experiences with this new Suricata 4.1.2 version in regards to the older 4.0.* version from OPNsense users :)
#8
Intrusion Detection and Prevention / Re: Suricata 4.1 better performance then the 4.0 version?
January 08, 2019, 10:53:10 AM
Ha! Then I wait for the 19.1 version, will that also include the reworked netmap from Victor Julien?
#9
Intrusion Detection and Prevention / Suricata 4.1 better performance then the 4.0 version?
January 08, 2019, 08:57:11 AM
I see that the new 18.7.10 has Suricata 4.1.2 and was wondering if people find some performance differences with the former Suricata (4.0.*) version?
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.
#10
Intrusion Detection and Prevention / Re: question about Suricata syslog
October 12, 2018, 07:06:09 PM
Also created https://github.com/opnsense/core/issues/2809 for this issue not sure if it is a bug or a works as expected.
#11
Intrusion Detection and Prevention / Re: Suricata Drop Log
October 12, 2018, 07:05:57 PM
Also created https://github.com/opnsense/core/issues/2809 for this issue not sure if it is a bug or a works as expected.
#12
Intrusion Detection and Prevention / Re: question about Suricata syslog
October 11, 2018, 04:43:33 PM
Small necro bump but this still occurs, for example I have these 2 entries (OPNsense 18.7.4 AMD64):
2018-10-11T15:08:06.596797+0200 blocked LAN 118.123.15.142 52566 192.168.1.25 22 ET SCAN Potential SSH Scan
2018-10-11T15:03:13.485746+0200 blocked LAN 192.168.1.116 47408 62.112.238.55 80 ET TROJAN Zberp receiving conf..
Which I find back in my syslog file on the remote syslog server;
root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22
When I search for the TROJAN entry:
root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0
So the TROJAN entry never entered the rsyslog server..which is pretty annoying since it is about a potential TROJAN being active on my network, the SSH SCAN noise I could care less for but the TROJAN is very important for me to detect and act upon.
I have set up Monit to alert on found TROJAN, MALWARE, WORM in /var/log/syslog so it would be nice if all Suricata alerts are being sent to the rsyslog server.
Can I troubleshoot this to see why it hasn't been sent?
2018-10-11T15:08:06.596797+0200 blocked LAN 118.123.15.142 52566 192.168.1.25 22 ET SCAN Potential SSH Scan
2018-10-11T15:03:13.485746+0200 blocked LAN 192.168.1.116 47408 62.112.238.55 80 ET TROJAN Zberp receiving conf..
Which I find back in my syslog file on the remote syslog server;
root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22
When I search for the TROJAN entry:
root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0
So the TROJAN entry never entered the rsyslog server..which is pretty annoying since it is about a potential TROJAN being active on my network, the SSH SCAN noise I could care less for but the TROJAN is very important for me to detect and act upon.
I have set up Monit to alert on found TROJAN, MALWARE, WORM in /var/log/syslog so it would be nice if all Suricata alerts are being sent to the rsyslog server.
Can I troubleshoot this to see why it hasn't been sent?
#13
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
August 10, 2018, 09:42:58 AM
I use the IPS mainly for my LAN/Guest VLAN since I want to detect malware. But I can understand that people also use it on front of their servers etc.
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
#14
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
August 09, 2018, 11:36:08 AM
I must nuance my 'rant' about Suricata; after enabling just the ones that are the most necessary for me (aka trojan, malware, mobile_malware, explot) and using Hyperscan I get a more reasonable ~14-16 MB/s (where 22 MB/s is my max) which is acceptable for me.
I no have the benefit of using a NIDS/IPS blocking/filtering on the LAN/GUEST_VLAN interfaces and still remain some of my bandwidth.
So big tip for all APU 2 users: use the Hyperscan Scan engine and choose only what is necessary.
I did not use any of the tweaks except above mentioned :)
I no have the benefit of using a NIDS/IPS blocking/filtering on the LAN/GUEST_VLAN interfaces and still remain some of my bandwidth.
So big tip for all APU 2 users: use the Hyperscan Scan engine and choose only what is necessary.
I did not use any of the tweaks except above mentioned :)
#15
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
August 09, 2018, 10:19:59 AMQuote from: dcol on August 02, 2018, 04:07:45 PM
Two point.
OPNsense does not have Snort. OPNsense was built optimizing Suricata.
Some Snort rules are not compatible with Suricata.
I never said that OPNsense have snort that is why I use/used PFsense.
I know that some Snort rules are incompatible with Suricata, I use the supplied ET Open rules and they work for both IDS/IPS.
Still not related to the performance hit on the APU 2, actually I can not find 1 single post where someone says he has 75%-100% of his/hers bandwidth after using Suricata inline (this has nothing to do with OPNsense but is related to Suricata and its scanning engine which caps bandwidth inline when used on 'smaller' hardware for home use).
