IPS not dropping eicar test file when https

[porigromus]

Hello, I am new to Opnsense trying to get everything setup. I am hoping someone can give me some troubleshooting tips for the issue I am seeing.

I have configured transparent http/https web proxy and verified when going to https sites my CA is listed as the issuer of the cert and everything shows valid. I have added the "7999999   Drop   opnsense.test.rules   bad-unknown   OPNsense test eicar virus" rule and verified alerts are present when trying to download it at the http link and it is blocked. However when attempting https I am able to download it. There are no alerts present in the ids logs.

I have all interfaces in my IDS configured lan,opt1,opt2,wan

I tried both pattern matchers "hyperscan and aho-corasick". I have also tried promiscuous mode even though I am not using vlan tagging. It should be blocking the file via that same rule when download https right?

Here is my log entry when restarting the ids service:

May 11 23:30:59    suricata: [100159] <Notice> -- all 8 packet processing threads, 4 management threads initialized, engine started. Thanks for any help.


only blocking on 80:

2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus   
2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus

[hbc]

I think the plain content is not visible to your IPS - just at your endpoints (client, proxy, server).
In your case, I think you filter WAN and traffic is still encrypted when IPS scans traffic and encrypted again, when leaving proxy to LAN.

If you want to filter HTTPS, you should use a filtering proxy, which is an endpoint and can scan the plain content. Just add c-icap and clamav to your squid. The only place where your HTTPS is terminated and plain visible is inside your proxy process.

[porigromus]

Thanks again hbc! I think I understand. Since I am monitoring with the IPS at the WAN, inspection is happening before the traffic is decrypted/encrypted by the web proxy. If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?

In my configuration though I will need to add ICAP/ClamAV to the traffic flow to see this at a later flow in the traffic. I think I get it, is there a nice diagram somewhere like a Visio document on a packet flow throughout the various systems? That would be neat.

I do appreciate the help!

[hbc]

If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?

No, the problem would still exist. It is a transparent proxy. The proxy gets encrypted via HTTPS the content of the server, generates a suitable certificate for the client on-the-fly and sends via HTTPS the traffic encrypted to it.
Even when using the proxy explicit (non-transparent), an encrypted CONNECT-Tunnel between client and server would be established and even proxy would not see any cleartext traffic. Encrypted traffic and server authenticated by certificate. That is HTTPS.

[porigromus]

Thanks for providing further explanation. That helps!