Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Suricata - Working or not.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata - Working or not. (Read 11946 times)
BenKenobi
Newbie
Posts: 23
Karma: 4
Suricata - Working or not.
«
on:
April 02, 2017, 03:28:52 pm »
Running V17.4 OPNSense, upgraded from 16.7 to 17.1 yesterday, then updated to 17.4, no real issues so far other than intrusion detection.
Suricata service is running but no events are being generated - nothing - so either the internet has become well behaved or somethings not right. I've deliberately port scanned my system from 'outside' and nothing is reported. Re downloading rules makes no difference, I also cannot list the available rules although I can see the configured ones - and .scan is one of those.
I also see this error in syslog when I try to view suricata events - despite me trying to view events it seems to be asking for rules.
02-04-2017 14:08:55 User.Error xxx.xxx.x.xxx Apr 2 13:08:55 configd.py: [5e357ad1-56f7-40fd-82de-c2817ddc7a07] Script action failed with Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1 at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 477, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python2.7/subprocess.py", line 541, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1
OPNSense is also reporting 'port closed' on scans to ports 135 to 139 - I'd rather it didn't report anything but can find no way to stop this response behaviour.
Logged
csmall
Full Member
Posts: 121
Karma: 5
Re: Suricata - Working or not.
«
Reply #1 on:
April 02, 2017, 10:36:17 pm »
I and a friend also get no triggered alerts in suricata but do when using suricata and snort on other firewalls like pfsense and ipfire.
I've worked with Franco a bit to try and identify a problem but couldn't.
I can force two rules to trigger but that's it. If I enable the opnsense test rules and go to a site that tries to violate the rule it triggers. If I enable the chat ET rule and connect to freenode irc it triggers and blocks as well.
When I had pfsense and ipfire installed I had ET rules triggered all day and night every day. Mostly drop, dshield, scan and compromised rules.
I get nothing in opnsense. Very confusing and frustrating. I hope someday it works
«
Last Edit: April 02, 2017, 10:38:37 pm by csmall
»
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Suricata - Working or not.
«
Reply #2 on:
April 03, 2017, 10:57:47 am »
ET Open changed something, patch here:
https://github.com/opnsense/core/issues/1516
Cheers,
Franco
Logged
csmall
Full Member
Posts: 121
Karma: 5
Re: Suricata - Working or not.
«
Reply #3 on:
April 04, 2017, 04:35:30 am »
franco, is this related to the issue I have with suricata not showing any alerts for ET rules?
Logged
Noctur
Jr. Member
Posts: 79
Karma: 4
Re: Suricata - Working or not.
«
Reply #4 on:
April 04, 2017, 06:18:45 am »
Patch coming or wait for 17.1.5? TIA
Logged
overkill: Dell SFF i5, 16gb, 120gb SSD, 4x gb NICs
OPNsense 21.1.x
csmall
Full Member
Posts: 121
Karma: 5
Re: Suricata - Working or not.
«
Reply #5 on:
April 05, 2017, 12:58:07 am »
I manually added the line to the file like in the bug fix and it didn't change anything for me. I don't fully understand what this line is supposed to fix..
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Suricata - Working or not.
«
Reply #6 on:
April 05, 2017, 07:02:02 am »
# opnsense-patch 5f17abb
It's only to fix parsing the upstream rules correctly after a change they did a few days ago.
Cheers,
Franco
Logged
BenKenobi
Newbie
Posts: 23
Karma: 4
Re: Suricata - Working or not.
«
Reply #7 on:
April 15, 2017, 01:44:44 pm »
I've taken some time over the last couple of days to explore the Suricata issue and my conclusion is it doesn't work. I've incorporated the recommendations here and I can at least view the rules etc but I think something else is busted - any ideas where to start looking.
Where do the rulesets come from ? How can they be viewed in detail i.e. what particular byte pattern is being matched.
I configured an internal pFSense system running Suricata and the hopefully the same rulesets and the pFSense box is trapping far more even after the OPNSense box - which if OPNSense was working it shouldn't do since I've selected 'enable IPS mode' as an option in OPNSense - block traffic - there is no option for how long to block and no list of what is currently blocked.
Some work needed on this plugin I think - if I knew where to start I may have a go myself - how do you go about this - clearly I don't want to use my internet facing firewall as a test lab ...
Logged
csmall
Full Member
Posts: 121
Karma: 5
Re: Suricata - Working or not.
«
Reply #8 on:
April 15, 2017, 02:22:26 pm »
I agree. It has never worked for me but it works on pfsense.
If I use pfsense with suricata and ET rules I trigger rules all day and night.
If I use ipfire with snort and ET rules, the same rules trigger all day and night.
I get literally nothing in OPNsense, except the built in annoying suricata rules.
A friend of mine has the same results on totally different hardware.
Logged
rgo
Newbie
Posts: 27
Karma: 1
Re: Suricata - Working or not.
«
Reply #9 on:
April 15, 2017, 05:34:03 pm »
For me on test hardware I am using with 17.1.4 opnsense. Suricata work correctly like it works on pfSense on a IPv4 only WAN, but when I setup WAN for both IPv4 & IPv6 suricata with IDS check then IPv6 drops off on WAN and IPv4 keeps working on WAN...and suricata dose block just like pfSense but with out IPv6. This was the same in 17.1.3 and 17.1.2 version of opnsense.
I have been able to make suricata work but, the scope is not the full range it should be working in.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Suricata - Working or not.