IPS not working

[guest23448]

I do also run IPS on WAN interface (put my LAN IP to the Home_NET, WAN is dynamic unfortunately) because it's not possible to run it on the same interface like Sensei. It worked fine, but I note a strange behaviour since version 20.1.3 (or whatever change happened in the meantime).

Before, eicar was detected on eicar.org (http) by the IPS - now it's not. Even not by ClamAV although having a transparent http proxy.

Then, I figured out that there is a strange http redirect behaviour. So the "http" version redirects to https. But unfortunately, it is also not able to detect eicar when I copy and pasted the eicar.org http link directly (Chrome/Firefox/Safari).
Did not further investigate because the test on rexswain.com (eicar blocked by IPS) and wicar.org (eicar blocked by ClamAV) worked. I also put the SHA1 of a known page cert to a custom IPS rule and noted that I get an alert. So I assume it's working.

The http link below does also not work for me in Chrome/Safari as it redirects (sometimes) to HTTPS and Suricata won't block it. But it works in Firefox. Just to keep in mind when you "rely" on such test links. And: It takes time until it's up and really screening/blocking traffic after restarting - even if it's marked "running" in your service monitor. Don't know how many minutes.

The easiest test, that always works when properly setup is the eicar test over http.

Code: [Select]

curl http://pkg.opnsense.org/test/eicar.com.txt


[Supermule]

A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

[AdSchellevis]

short version: no, longer version https://docs.opnsense.org/manual/ips.html#choosing-an-interface

[packetmangler]

A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

I see alerts from the WAN side of things.  I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.

[Supermule]

I dont see anything on WAN at all...

Its a very different world and GUI from pfsense and I have to get use to that....

I am missing the granular control of things/alerts (small icons next to the alerts)

A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

I see alerts from the WAN side of things.  I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.

[Trelleboy]

Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

So you are running snart and suricata?

[Trelleboy]

you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.

I have been reading and im very confussed.....beacuse everything is running but the TEST is not getting an alert....

I really like some help to set this up in the right way...

[Trelleboy]

Well not its triggering the eicar text - BAM :-)

I have a bridge interface. The LAN option was making the system crashing after 5 min - but coosing the interfaces one but one its working OPT1 OPT2 OPT3. But its still the WAN that is blocking. Should I be happy now because it should be the OPT thats blocked? Does it make " open" sense? 

2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Agent Detected (friendly-scanner)   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Age

[chemlud]

Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

So you are running snart and suricata?

The Snort is on a box with PPPoE on WAN, therefore it is still the other "sense"...