Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS blocked, then allowed
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS blocked, then allowed (Read 6679 times)
dcol
Hero Member
Posts: 635
Karma: 51
IPS blocked, then allowed
«
on:
December 06, 2017, 05:17:35 pm »
I have IPS enabled with a custom rule which seems to trigger a block properly.
My issue is, The custom rule triggered a block, then another ET rule that also matched after that blocked the same packet.
Isn't the engine suppose to quit the packet after it matches and not continue through the rules? Is this a setting?
Here is an example of the same packet that triggered two IDS rules. Why? Should't the first one have ended the search? What if one rule is set to block and the other to allow. Which one does it follow?
The second example shows another double hit. The common element here is the User Defined GeoIP block. There must be something wrong with the GeoIP block. I think at this point I will submit a bug report to github.
«
Last Edit: December 06, 2017, 11:44:20 pm by dcol
»
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: IPS blocked, then allowed
«
Reply #1 on:
December 08, 2017, 05:39:45 pm »
I submitted a bug report to OPNsense git-hub and Suricata. Neither has responded, so far.
According to the Suricata manual, a drop is definitely suppose to end the chain, but in my case it does not. This has happened with many other matching rules as well. Looks like the rules engine processes all packets against every rule in its algorithm. This has to impede performance and stress to netmap.
At this point I am not sure if it is an adjustable setting in the Suricata configuration or a bug.
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: IPS blocked, then allowed
«
Reply #2 on:
December 12, 2017, 03:53:22 pm »
This issue is not an OPNsense issue since the same thing happens in other firewalls using Suricata.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IPS blocked, then allowed
«
Reply #3 on:
December 12, 2017, 10:46:08 pm »
Hi there,
Do you have a link for future reference where the same behaviour happens on e.g. Linux?
Thanks,
Franco
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: IPS blocked, then allowed
«
Reply #4 on:
December 12, 2017, 10:48:51 pm »
Just tried it on a pfs box with the same results.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IPS blocked, then allowed
«
Reply #5 on:
December 12, 2017, 10:58:18 pm »
Ah ok, I was hoping for a non-FreeBSD confirmation, but no worries as that is ok too.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS blocked, then allowed