Transparent IPS issues

Started by naito, May 08, 2020, 02:21:40 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 08, 2020, 02:21:40 AM
Trying to set up Suricata as a transparent IPS on OPNsense 20.1.6.  Completely new install.  Network set up as attached image shows.

I got OpnSense configured as a transparent bridge, passing traffic from igb0 to igb1.  Separate interface for management, only management interface as an IP assigned.

Suricata workw great in IDS detection-only mode, can see rules alerting, eicar tests work, but the instant I turn on IPS mode I lose all connectivity on the bridge.  Doesn't matter which pattern matcher I use, or whether promiscuous mode is on or off (I have two VLANs so I usually have promiscuous mode on).  Interfaces have set to only igb0 or igb1 and makes no difference.  The instant the logs show "threads initialized, engine started" I lose all connectivity through the bridge.

What am I doing wrong?  I've followed the transparent bridge setup guides, set the tunables, all hardware offload is off, bridge performs great and can even use firewall rules correctly, but once IPS mode is enabled everything stops.  I believe this is a supported configuration?

The only thing I've been able to notice after a couple days of testing is that once IPS mode starts, I start seeing firewall logs BLOCKING traffic on the bridge via the "default deny" rule.  I've tried adding a allow all rule, and even disabling all packet filtering in Firewall->Settings->Advanced, the deny rule still seems to block.

By my understanding though is that netmap runs under pf, and the messages Suricata prints seems to bear this out as in both IDS and IPS mode it will show a "igb0:pks XXX, drop 0" so I think Suricata is seeing packets properly, but something else is breaking the bridge.

Any help is appreciated!!  thanks in advance.
May 10, 2020, 07:35:37 PM #1
Basically your problem is this

https://forum.netgate.com/topic/128853/suricata-and-vlans/2

Unless an opnsense dev says otherwise, Vlans and suricata with IPS mode doesn't work, and there is no solution for now.
May 12, 2020, 05:50:07 AM #2
Thanks, that's disappointing to hear.  Will keep an eye out for future updates, in the meantime I managed to get it working with a manual install on Debian + Suricata 5 using af_packet for bridging.
Print
Go Up Pages1
User actions