"
I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
February 14, 2019, 07:48:19 PM #2
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
February 14, 2019, 08:29:22 AM
There is a patch/fix that will be included in 19.1.2
https://github.com/opnsense/core/issues/3211#issuecomment-462835563
I haven't tried it myself yet..
https://github.com/opnsense/core/issues/3211#issuecomment-462835563
I haven't tried it myself yet..
#3
Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic
February 02, 2019, 02:47:54 AM
Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.
Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).
I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..
Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)
Greetings,
Tom
EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots
Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..
EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1
Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).
I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..
Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)
Greetings,
Tom
EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots
Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..
EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1
#4
Intrusion Detection and Prevention / Re: Suricata Drop Log
July 30, 2018, 01:01:24 PM
No, i did not manage to configure it to start automatically...
#5
Intrusion Detection and Prevention / Re: Suricata Drop Log
March 27, 2018, 01:20:24 AM
Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).
Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/
Configure logstash:
beats {
type => "Suricata"
port => 5044
codec => json
}
filter {
if [type] =~ /^Suricata/ {
mutate {
add_tag => ["Suricata"]
remove_tag => ["beats_input_codec_json_applied"]
replace => {"service" => "Suricata"}
}
}
}
output {
if [type] == "Suricata" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
}
}
}
Hope it helps.
Cheers
Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/
Configure logstash:
beats {
type => "Suricata"
port => 5044
codec => json
}
filter {
if [type] =~ /^Suricata/ {
mutate {
add_tag => ["Suricata"]
remove_tag => ["beats_input_codec_json_applied"]
replace => {"service" => "Suricata"}
}
}
}
output {
if [type] == "Suricata" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
}
}
}
Hope it helps.
Cheers
Pages1
