"Quote from: mimugmail on October 14, 2020, 05:56:15 AMThanks! I have had another thread here but perhaps no progress. :P
Maybe ask in Suricata Forums top?
https://forum.opnsense.org/index.php?topic=19358.0
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Intrusion Detection and Prevention / Re: NOT Work for IPv6
October 17, 2020, 01:45:38 PMhttps://forum.opnsense.org/index.php?topic=19358.0
#2
Intrusion Detection and Prevention / Re: NOT Work for IPv6
October 17, 2020, 01:40:28 PM
Thanks for your reply and feedback! @mimugmail @seed
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before. :)
Quote from: seed on October 14, 2020, 09:02:14 PMBut in my case as you can see, the IPv4 traffic has been successfully blocked, which means the rule was loaded.
I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before. :)
#3
Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6
October 02, 2020, 10:05:22 AM
Anyone solve this problem with me? :)
#4
Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6
September 30, 2020, 03:19:58 PM
And it doesn't work for HTTP rule either.
Code Select
alert http any any -> any any (msg:"HTTP google"; http.host; content:"google.com"; priority:1; sid:91000001; rev:1;)Code Select
root@qwe:~# curl -4 -i http://google.com
^CCode Select
blocked LAN_0 10.1.0.40 38848 216.58.209.238 80 HTTP googleCode Select
root@qwe:~# curl -6 -i http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Sep 2020 13:16:54 GMT
Expires: Fri, 30 Oct 2020 13:16:54 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
#5
Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6
September 30, 2020, 03:02:27 PMQuote from: mimugmail on September 30, 2020, 09:20:44 AMThank you for your reply!
Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?
Sure the rule works.
Code Select
curl -4 -i https://google.comCode Select
blocked LAN_0 10.1.0.40 53838 216.58.209.238 443 test googleAlso curl -6 support SNI (reading package is a bit hard in my virtual env, so I use and another way to verify)
Code Select
root@qwe:~# curl -k -I -6 --resolve google.com:443:[2404:6800:4005:810::200e] https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 30 Sep 2020 13:00:20 GMT
expires: Fri, 30 Oct 2020 13:00:20 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
root@qwe:~# curl -k -I -6 --resolve youtube.com:443:[2404:6800:4005:810::200e] https://youtube.com/
HTTP/2 301
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 0
location: https://www.youtube.com/
date: Wed, 30 Sep 2020 13:00:31 GMT
content-type: text/html
server: YouTube Frontend Proxy
x-xss-protection: 0
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
#6
Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6
September 30, 2020, 08:28:49 AM
It's opnsense 20.7.3 and suricata 5.0.3.
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help :P
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help :P
#7
Intrusion Detection and Prevention / NOT Work for IPv6
September 30, 2020, 08:18:06 AM
Hi all! First of all, I am very grateful to the opnsense software and the community, which brought me a lot of convenience in my work.
Recently I met a problem, having searched for days I haven't found the solution.
In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.
It will drop google.com traffic (IPS mode).
But when it turns to IPv6 network, it doesn't work. (No drop, No log)
I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.
Any hint? Thanks very much!
Recently I met a problem, having searched for days I haven't found the solution.
In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.
Code Select
alert tls any any -> any any (msg:"test google"; tls_sni; content:"google.com"; nocase; priority:1; sid:51000000; rev:1;)It will drop google.com traffic (IPS mode).
But when it turns to IPv6 network, it doesn't work. (No drop, No log)
Code Select
curl -6 -i https://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
...I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.
Any hint? Thanks very much!
#8
Tutorials and FAQs / Re: [Tutorial] Adding custom rules to Intrusion Detection
September 30, 2020, 08:09:31 AMQuote from: dcol on May 03, 2018, 07:28:35 PMHello dcol! Thank you for your tutorial and I successfully created some my rules.
My pleasure
But I met a problem that it didn't work well in IPv6, have you ever encountered it?
Thanks a lot!
https://forum.opnsense.org/index.php?topic=19375.0
#9
20.7 Legacy Series / Re: IPS: Some Suricata rules doesn't work for IPv6
September 30, 2020, 02:19:03 AM
:)
#10
20.7 Legacy Series / IPS: Some Suricata rules doesn't work for IPv6
September 29, 2020, 09:47:00 AM
Sorry that I didn't notice there is a separate IDS forum.
My problem is Suricata rules work well for IPv4 traffic but not for IPv6.
It has been moved to https://forum.opnsense.org/index.php?topic=19375.0 :)
My problem is Suricata rules work well for IPv4 traffic but not for IPv6.
It has been moved to https://forum.opnsense.org/index.php?topic=19375.0 :)
Pages1
