OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of trigger_hippie »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - trigger_hippie

Pages: [1]
1
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
« on: February 14, 2019, 07:48:19 pm »
I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.

2
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
« on: February 14, 2019, 08:29:22 am »
There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

3
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
« on: February 02, 2019, 02:47:54 am »
Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.

Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).

I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..

Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)

Greetings,
Tom

EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots

Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..

EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1


4
Intrusion Detection and Prevention / Re: Suricata Drop Log
« on: July 30, 2018, 01:01:24 pm »
No, i did not manage to configure it to start automatically...

5
Intrusion Detection and Prevention / Re: Suricata Drop Log
« on: March 27, 2018, 01:20:24 am »
Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).

Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/


Configure logstash:
beats {
    type => "Suricata"
    port => 5044
    codec => json
  }
filter {
         if [type] =~ /^Suricata/ {
                mutate {
                  add_tag => ["Suricata"]
                  remove_tag => ["beats_input_codec_json_applied"]
                  replace => {"service" => "Suricata"}
                }
        }
}
output {
if [type] == "Suricata" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "suricata-%{+YYYY.MM.dd}"
    }
  }
}

Hope it helps.
Cheers

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2