Can't get Intrusion Detection working.

Started by dieterarn, April 05, 2018, 05:50:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 05, 2018, 05:50:47 AM
I've been trying, off an on, since 16.x, to get Intrusion Detection working.

alerts don't show much activity but the the moment i turn on IPS i get a completely dead connection. have i been that seriously pwned or have i just messed up something?

I've followed the guides and disabled hardware offloading etc.
I've also disabled all the rulesets:

Description
   
   abuse.ch/Dyre SSL IPBL   not installed          
   abuse.ch/Feodo Tracker   not installed          
   abuse.ch/SSL Fingerprint Blacklist   not installed          
   abuse.ch/SSL IP Blacklist   not installed          
   ET open/botcc   not installed          
   ET open/botcc.portgrouped   not installed          
   ET open/ciarmy   not installed          
   ET open/compromised   not installed          
   ET open/drop   not installed          
   ET open/dshield   not installed          
   ET open/emerging-activex   not installed

still nothing...

the latest alerts say:
2018-04-04T23:25:30.465856-0400   allowed   WAN   ###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:25:27.614650-0400   allowed   WAN   ###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:25:26.016311-0400   allowed   WAN###.###.###.### ###.###.###.###   7801   SURICATA STREAM ESTABLISHED SYNACK resend with different seq   
2018-04-04T23:21:20.710647-0400   allowed   WAN   ###.###.###.### 22589   ###.###.###.###   23   SURICATA TCPv4 invalid checksum

I run opnsense as a virtual machine using to vitual bridges to connected to it. one is a dedicated physical interface for the wan and the other is the a vitual bridge to the lan. The Host is proxmox.
April 05, 2018, 06:20:03 AM #1
Follow this tutorial and you will get your IDPS up and running:
https://forum.opnsense.org/index.php?topic=6893.0

It's not updated, but I hope you'll manage to find the options which were modified in the GUI.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
April 08, 2018, 02:01:44 AM #2 Last Edit: April 08, 2018, 02:14:25 AM by dieterarn
1st of: opps i should do a better job of googling next time - sorry & thanks   :-[

I was following your guide: i got to part 4 - ids and ips, and noticed that i only put WAN in my interfaces list.

after including LAN & enabling IPS & applying i lost all connection to the internet AND the admin web interface. the result is instantaneous. I had to drop into the virtual console and restore settings from backup. as you probably know - once you restore settings opnsense recommends that you reboot the router. when i did that i got the screen shown in the included attachment - it looks like suricata is complaining. googling the error i get these hits:

https://forum.pfsense.org/index.php?topic=98787.0
https://redmine.openinfosecfoundation.org/issues/1496

so that's just suricata complaining that syslog wasn't enabled.

i went and turned it on... the internet still breaks the instant i enable IPS...

in your debug area you say to set all rules to alreat - i double checked and found that i had 1 drop rule:
Signature Id   2210057
Classtype   protocol-command-decode
Message           SURICATA STREAM 3way handshake toclient data injection suspected
Print
Go Up Pages1
User actions