Messages

The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

How many rules do you run on Snort vs Suricata? Can you try changing the Scan engine?

the same ammount; I use the ET Open rules and both work for both Snort and Suricata.
Tried enabling 1 rule to using 15 rules - no difference.
Also tried changing the Scan engine, Hyperscan has the best performance (Intel nic's are used on the APU 2) but no profit there.

The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

The problem I have with doing things on the shell is that they might get lost after an upgrade.
I know there are a bunch of scripts but I want to make sure that the list and the cronjob are there after an upgrade of OPNsense, hence my request to allow this via unbound/dnsmasq webgui (a simple curl command to a remote location and adding it to an included .conf is the real magic).
A cronjob would also be nice to update the list every day/week etc. :)

This got a little bit offtopic :)
I will watch the github issues ;)

Hi,

I am using the latest OPNsense (18.1.3 on APU2) which works fine with Suricata.
I am using the IDS and not the IPS modus, I just want to have logging and that logging sent remotely to a rsyslog server.
I see alerts in the Alerts tab and I have set up rsyslog and selected Everything to be send to the rsyslog server.
On the rsyslog server I see a lot of firewall traffic but no suricata alerts coming through although I see them in the appearing in the Alerts.
Are alerts only logged when you use the IPS and set rules to drop? (which I don't want)

you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

I am sending notifcation emails through my own Postfix mailserver which only allows TLSv1.2.
OPNsense only supports TLSv1 and not newer versions:

TLSv1.1 + TLSv1.2:

Mar  8 10:18:10 server postfix/smtpd[8048]: SSL_accept error from dhcp-077-249-000-044.chello.nl[77.249.0.44]: -1
Mar  8 10:18:10 server postfix/smtpd[8048]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:974:
Mar  8 10:18:10 server postfix/smtpd[8048]: lost connection after STARTTLS from dhcp-077-249-000-044.chello.nl[77.249.0.44]
Mar  8 10:18:10 server postfix/smtpd[8048]: disconnect from dhcp-077-249-000-044.chello.nl[77.249.0.44] ehlo=1 starttls=0/1 commands=1/2


TLSv1:

Mar  8 10:18:35 server postfix/smtpd[8099]: Anonymous TLS connection established from dhcp-077-249-000-044.chello.nl[77.249.0.44]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

Is there a reason why newer and more secure TLS versions are not supported in the smtp client of OPNsense?

Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0.  Went smoothly, no issues.  apu2 AMD GX-412TC SOC (4 cores)

Did you test with bandwidth tests? Find a difference in performance when testing through your APU2? I experienced much better bandwidth performance with 4.* then with the 3.* series of Suricata.
Please let us know if you also experience less of a cap on your bandwidth with Suricata 4.*

See in another thread my reply to the performance hit, newer Suricata 4.* shows better performance.
Knowing OPNsense and how they track packages, I guess Suricata 4.* will be part of one of the next releases.

It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso'; -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

I closed it, adding the LAN & GUEST interfaces (if you have a GUEST interface of course) helped creating the correct blocks.

I opened a Github issue (as I experience this as an issue), ticket; https://github.com/opnsense/core/issues/1664
If one of the 2 gets closed I will close the latter one.

How do I fix this?
And if this all has to be arranged (I assuming I need to enable SSH and edit files by hand) why is this not in the documentation or fixed in a .X release?
Also the IPS + Feodo tracker documentation does not mention it?! -> https://docs.opnsense.org/manual/how-tos/ips-feodo.html

Hi!
I am trying OPNSense:
OPNsense 17.1.7-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2k 26 Jan 2017

On an APU2C4 with Suricata enabled, IPS enabled, promiscious enabled, interface; WAN,new rules installed and enabled ET-scan and more.
I also changed the rules from alert to drop.
No matter how hard I try: I don't see any blocks in my alerts tab using nmap -sS/nmap -sT against the WAN interface from a VPS to my OPNsense box.
I also noticed that I see no alerts at all, only STREAM alerts but no drops (I also expect Dshield and Comrpomised alerts from chinese ip adressess but no alerts at all).

My questions:

1) am I missing something to trigger the alerts?
2) I did the the eicar download before with the OPNsense test rules but no other rules are triggered
3) I have a VLAN interface connected to igb0 and use hardware offloading, all other hard offloading is disabled (by default) should I disable the VLAN interface? I also use port forwarding for SSH, HTTP & HTTPS can this cause issues?

I haven't experienced this with PFsense with suricata and/or snort.

Any pointers would be more then welcome :)

Hi Franco,

Thanks for the reply.
Why is it too late? Have you tested the difference in speeds of the block between Suricata inline and Snort?
So you're saying that the IPS functionality with Snort is *always* too late - the session is already created and data already posted before Snort and the IP block mechanism could do its work? (which I find interesting since some companies offer Snort as IPS for companies).
Also the IPS on OPNsense did not show any alerts except for the the eicar download testcase..
So I regained my speed, got some alerts (at least) which is better then drop in speed (50%) and and no alerts.

I have the APU2b4 and those have Intel nics (https://www.pcengines.ch/apu2c4.htm -> Intel i211AT on apu2b2, i210AT on apu2b4 which would be the same on the apu2c4) and I see that they are supported by netmap but still I see such a decrease in bandwidth..
Shouldn't netmap cover the resource issue and shouldn't the 4 GB memory + 4 cores of the APU2C4 be enough to do inline processing?