Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[workaround] ips block specific traffic (ipcheck) without alert
« previous
next »
Print
Pages: [
1
]
Author
Topic: [workaround] ips block specific traffic (ipcheck) without alert (Read 3728 times)
kein
Newbie
Posts: 3
Karma: 0
[workaround] ips block specific traffic (ipcheck) without alert
«
on:
February 17, 2017, 10:41:15 am »
Hello,
I have a strange issue with my IDS configured as IPS.
When I try to update my dyndns, from a lan server, with a python script the request is being blocked by my IPS without any notification in logs.
Of course the python request pass when the IPS mode is disabled.
Notification logs works fine for others alerts.
what I see in the filter logs:
00:00:07.312284 rule 49/0(match): pass out on bridge0: (tos 0x0, ttl 64, id 11059, offset 0, flags [DF], proto UDP (17), length 57)
192.168.x.y.44784 > 8.8.8.8.53: 12586+ A?
www.ovh.com
. (29)
00:00:00.016332 rule 49/0(match): pass out on bridge0: (tos 0x0, ttl 64, id 14936, offset 0, flags [DF], proto TCP (6), length 60)
192.168.x.y.46222 > 198.27.92.1.80: Flags [\S], cksum 0xec96 (correct), seq 303142016, win 29200, options [mss 1460,sackOK,TS val 4192644824 ecr 0,nop,wscale 7], length 0
My opnsense version is :
OPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017
The os is configured as inline firewall, two interfaces bridged.
The python script used :
http://ipcheck.sourceforge.net/
test command : /usr/bin/python /srv/scripts/ipcheck/ipcheck.py -v -a 8.8.8.8 toto password hello.de
The script trigger a "basic auth" alert, set as alert and non-blocking. And something more is blocked but without any notifications in the alert tabs.
I already tried to set promiscuous mode, changed the pattern match.
Do you know where I can investigate ? Some more verbose logs can be get ?
Kind regards
«
Last Edit: February 20, 2017, 10:54:00 am by kein
»
Logged
kein
Newbie
Posts: 3
Karma: 0
Re: ips block specific traffic (ipcheck) without alert
«
Reply #1 on:
February 20, 2017, 10:46:22 am »
I found a workaround.
Now I'm using a linux daemon (ddclient) found in the repository to update my dyndns.
The daemon triggered two alerts on the ips:
-basci auth , already set to alert
-ET POLICY DynDNS CheckIp External IP ; thtat I unchecked
Note that with the new rule unchecked (dyndns) the previous python script is still blocked when receiving the html response.
«
Last Edit: February 20, 2017, 10:53:43 am by kein
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[workaround] ips block specific traffic (ipcheck) without alert