NOT Work for IPv6

abysscong · September 30, 2020, 08:18:06 AM

Hi all! First of all, I am very grateful to the opnsense software and the community, which brought me a lot of convenience in my work.

Recently I met a problem, having searched for days I haven't found the solution.

In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.

Code Select

alert tls any any -> any any (msg:"test google"; tls_sni; content:"google.com"; nocase; priority:1; sid:51000000; rev:1;)

It will drop google.com traffic (IPS mode).

But when it turns to IPv6 network, it doesn't work. (No drop, No log)

Code Select

curl -6 -i https://google.com
HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
...

I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.

Any hint? Thanks very much!

abysscong · September 30, 2020, 08:28:49 AM

It's opnsense 20.7.3 and suricata 5.0.3.
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help :P

mimugmail · September 30, 2020, 09:20:44 AM

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

abysscong · September 30, 2020, 03:02:27 PM

Quote from: mimugmail on September 30, 2020, 09:20:44 AM
Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

Thank you for your reply!
Sure the rule works.

Code Select

curl -4 -i https://google.com

Code Select

blocked LAN_0 10.1.0.40 53838 216.58.209.238 443 test google

Also curl -6 support SNI (reading package is a bit hard in my virtual env, so I use and another way to verify)

Code Select


root@qwe:~# curl -k -I -6 --resolve google.com:443:[2404:6800:4005:810::200e] https://google.com/
HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 30 Sep 2020 13:00:20 GMT
expires: Fri, 30 Oct 2020 13:00:20 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

root@qwe:~# curl -k -I -6 --resolve youtube.com:443:[2404:6800:4005:810::200e] https://youtube.com/
HTTP/2 301 
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 0
location: https://www.youtube.com/
date: Wed, 30 Sep 2020 13:00:31 GMT
content-type: text/html
server: YouTube Frontend Proxy
x-xss-protection: 0
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

abysscong · September 30, 2020, 03:19:58 PM

And it doesn't work for HTTP rule either.

Code Select

alert http any any -> any any (msg:"HTTP google"; http.host; content:"google.com"; priority:1; sid:91000001; rev:1;)

Code Select


root@qwe:~# curl -4 -i http://google.com
^C

Code Select

blocked LAN_0 10.1.0.40 38848 216.58.209.238 80 HTTP google

Code Select


root@qwe:~# curl -6 -i http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Sep 2020 13:16:54 GMT
Expires: Fri, 30 Oct 2020 13:16:54 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

abysscong · October 02, 2020, 10:05:22 AM

Anyone solve this problem with me? :)

seed · October 13, 2020, 06:02:06 PM

I experience the same issues. My custom ipv6 suricata block rule does not work either.
What can i do to debug this? May this be some kind of configuration issue.

mimugmail · October 14, 2020, 05:56:15 AM

Maybe ask in Suricata Forums top?

seed · October 14, 2020, 09:02:14 PM

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

abysscong · October 17, 2020, 01:40:28 PM

Thanks for your reply and feedback! @mimugmail @seed

Quote from: seed on October 14, 2020, 09:02:14 PM
I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

But in my case as you can see, the IPv4 traffic has been successfully blocked, which means the rule was loaded.
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before. :)

abysscong · October 17, 2020, 01:45:38 PM

Quote from: mimugmail on October 14, 2020, 05:56:15 AM
Maybe ask in Suricata Forums top?

Thanks! I have had another thread here but perhaps no progress. :P
https://forum.opnsense.org/index.php?topic=19358.0

NOT Work for IPv6

abysscong

September 30, 2020, 08:18:06 AM Last Edit: October 02, 2020, 10:07:05 AM by abysscong

abysscong

September 30, 2020, 08:28:49 AM #1

mimugmail

September 30, 2020, 09:20:44 AM #2

abysscong

September 30, 2020, 03:02:27 PM #3 Last Edit: September 30, 2020, 03:04:09 PM by abysscong

abysscong

September 30, 2020, 03:19:58 PM #4 Last Edit: September 30, 2020, 03:23:24 PM by abysscong

abysscong

October 02, 2020, 10:05:22 AM #5

seed

October 13, 2020, 06:02:06 PM #6

mimugmail

October 14, 2020, 05:56:15 AM #7

seed

October 14, 2020, 09:02:14 PM #8

abysscong

October 17, 2020, 01:40:28 PM #9 Last Edit: October 17, 2020, 01:42:40 PM by abysscong

abysscong

October 17, 2020, 01:45:38 PM #10