Messages

1

Intrusion Detection and Prevention / Re: NOT Work for IPv6

« on: October 17, 2020, 01:45:38 pm »

Maybe ask in Suricata Forums top?

Thanks! I have had another thread here but perhaps no progress.
https://forum.opnsense.org/index.php?topic=19358.0

2

Intrusion Detection and Prevention / Re: NOT Work for IPv6

« on: October 17, 2020, 01:40:28 pm »

Thanks for your reply and feedback! @mimugmail @seed

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

But in my case as you can see, the IPv4 traffic has been successfully blocked, which means the rule was loaded.
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before.

3

Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6

« on: October 02, 2020, 10:05:22 am »

Anyone solve this problem with me?

4

Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6

« on: September 30, 2020, 03:19:58 pm »

And it doesn't work for HTTP rule either.

Code: [Select]

alert http any any -> any any (msg:"HTTP google"; http.host; content:"google.com"; priority:1; sid:91000001; rev:1;)

Code: [Select]

root@qwe:~# curl -4 -i http://google.com
^C

Code: [Select]

blocked LAN_0 10.1.0.40 38848 216.58.209.238 80 HTTP google

Code: [Select]

root@qwe:~# curl -6 -i http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Sep 2020 13:16:54 GMT
Expires: Fri, 30 Oct 2020 13:16:54 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>



5

Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6

« on: September 30, 2020, 03:02:27 pm »

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

Thank you for your reply!
Sure the rule works.

Code: [Select]

curl -4 -i https://google.com

Code: [Select]

blocked LAN_0 10.1.0.40 53838 216.58.209.238 443 test google
Also curl -6 support SNI (reading package is a bit hard in my virtual env, so I use and another way to verify)

Code: [Select]

root@qwe:~# curl -k -I -6 --resolve google.com:443:[2404:6800:4005:810::200e] https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 30 Sep 2020 13:00:20 GMT
expires: Fri, 30 Oct 2020 13:00:20 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

root@qwe:~# curl -k -I -6 --resolve youtube.com:443:[2404:6800:4005:810::200e] https://youtube.com/
HTTP/2 301
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 0
location: https://www.youtube.com/
date: Wed, 30 Sep 2020 13:00:31 GMT
content-type: text/html
server: YouTube Frontend Proxy
x-xss-protection: 0
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"


6

Intrusion Detection and Prevention / Re: IPS: Some Suricata rules doesn't work for IPv6

« on: September 30, 2020, 08:28:49 am »

It's opnsense 20.7.3 and suricata 5.0.3.
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help

7

Intrusion Detection and Prevention / NOT Work for IPv6

« on: September 30, 2020, 08:18:06 am »

Hi all! First of all, I am very grateful to the opnsense software and the community, which brought me a lot of convenience in my work.

Recently I met a problem, having searched for days I haven't found the solution.

In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.

Code: [Select]

alert tls any any -> any any (msg:"test google"; tls_sni; content:"google.com"; nocase; priority:1; sid:51000000; rev:1;)It will drop google.com traffic (IPS mode).

But when it turns to IPv6 network, it doesn't work. (No drop, No log)

Code: [Select]

curl -6 -i https://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
...
I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.

Any hint? Thanks very much!

8

Tutorials and FAQs / Re: [Tutorial] Adding custom rules to Intrusion Detection

« on: September 30, 2020, 08:09:31 am »

My pleasure

Hello dcol! Thank you for your tutorial and I successfully created some my rules.
But I met a problem that it didn't work well in IPv6, have you ever encountered it?
Thanks a lot!

https://forum.opnsense.org/index.php?topic=19375.0

9

20.7 Legacy Series / Re: IPS: Some Suricata rules doesn't work for IPv6

« on: September 30, 2020, 02:19:03 am »

 

10

20.7 Legacy Series / IPS: Some Suricata rules doesn't work for IPv6

« on: September 29, 2020, 09:47:00 am »

Sorry that I didn't notice there is a separate IDS forum.
My problem is Suricata rules work well for IPv4 traffic but not for IPv6.

It has been moved to https://forum.opnsense.org/index.php?topic=19375.0