Does IPS support IPV6

[ngr2001]

I have IPV6 configured and working very nicely, confirmed on all test sites. I also have IPS in blocking mode on both the WAN & LAN working very nicely, verified via EICAR being blocked.

However, in my IPS logs I have yet to see any WAN traffic associated to my IPv6 Address. Is that normal, does IPS support IPV6, I average about 10 blocked attacks per minute on IPv4, I cant imagine no one is scanning my IPv6 address ?

[ngr2001]

Well I think I answered my own questions at least partially.

I just created a new PS routine to download an EICAR file and this time the blocked traffic appeared in the logs as IPV6. So I guess some rules for sure support IPV6, I'm just really surprised that no other rules are firing for IPV6 at the moment. I posted PS routine elsewhere but I might as well share the testing process below, I guess its useful for both testing IPS mode and IPV6 :)



Here are some cleaner instructions for validating that IPS is blocking for the average windows user:


Step 1: Enable the rule ""OPNsense-App-detect/test", located at: Services/Intrusion Detection/Administration/Download

Step 2: Open the PowerShell ISE

Step 3: Paste in the following code

$url = "pkg.opnsense.org/test/eicar.com.txt"
$dest = "C:\temp\eicar.com.txt"
Invoke-RestMethod -Uri $url -OutFile $dest

Step 4: Click the Green Run arrow

Step 5: Check your IPS Alerts, located at: Services/Intrusion Detection/Administration/Alerts. You should see a hit for "OPNsense test eicar virus"

Step 6: Check C:\Temp\ for the creation of any new files named "eicar.com.txt", you should have none and your Powershell ISE should be just sitting there hung looking like its doing nothing, well thats because your IDS is blocking the download.

Congrats.

[someone]

There are some IPV6 rules, the protocol is not used much, and no I dont get rule hits on IPV6
The bots and hackers mainly use IPV4
And browser hackers are already in your system via the browser when you open their page and its IPV4

[seed]

However, in my IPS logs I have yet to see any WAN traffic associated to my IPv6 Address. Is that normal, does IPS support IPV6, I average about 10 blocked attacks per minute on IPv4, I cant imagine no one is scanning my IPv6 address ?

IPS/IDS (Suricata) absolutely supports IPv6.

There are some IPV6 rules, the protocol is not used much, and no I dont get rule hits on IPV6
The bots and hackers mainly use IPV4
And browser hackers are already in your system via the browser when you open their page and its IPV4

Most rules match on the data the i beeing transmitted and not on ip addresses itself. If you want to block ips use the firewall. Suricata looks into streams, reassembles packets and matches them against the loaded rulesets.

When using ips the payload is much more interesting than the ip protocol (in most cases).

[danderson]

yes, supports and shows up in alert logs like v4 does.

see screenshot.

[someone]

with http extinct most packets trigger off the headers, since payload is encrypted, it can be done
with some extra work

[pp25]

I just created a new PS routine to download an EICAR file and this time the blocked traffic appeared in the logs as IPV6. So I guess some rules for sure support IPV6, I'm just really surprised that no other rules are firing for IPV6 at the moment. I posted PS routine elsewhere but I might as well share the testing process below, I guess its useful for both testing IPS mode and IPV6 :)

You can test IPv4 or IPv6 explicitly downloading Eicar file from this web site: https://eicar-test.kusivchi.space/
It also allows to choose HTTP or HTTPS in case you'd like to check TLS decryption.