No IPv6 if IPS is active

[Til]

Thanks for the hint.

IPS off:

Code: [Select]

option domain-name "localdomain";

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet6 2001:16b8:2e:39ff::/64 {
  range6 2001:16b8:2e:39ff:0:0:0:0 2001:16b8:2e:39ff:0:0:0:0;
  option dhcp6.name-servers 2001:16b8:2e:39ff:20d:b9ff:fe44:70ed;
}

subnet6 2001:16b8:2e:39ff::/64 {
  range6 2001:16b8:2e:39ff::1000 2001:16b8:2e:39ff::2000;
  option dhcp6.name-servers 2001:16b8:2e:39ff:20d:b9ff:fe44:70ee;
}

ddns-update-style interim;

IPS on:

Code: [Select]

option domain-name "localdomain";

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
 {
}

ddns-update-style interim;


[marjohn56]

Interesting.


OK I can replicate this... I'll see what I can find.

[marjohn56]

Going to add this to an existing issue regarding IPS

[BeNe]

I still have also the same problem. Yep, IPv6 completely disappear from the dhcpv6 config after enable IPS Mode.
IDS Mode works fine. So if you need any further test or logs i´m willing to help,too.

By enabling IPS Mode i get an error for every enabled Suricata Rule like this:

Code: [Select]

...
...
Oct 11 23:03:29 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 3477
Oct 11 23:03:29 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Oct 11 23:03:28 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 283
Oct 11 23:03:28 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
Oct 11 23:03:26 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
Oct 11 23:03:26 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4380
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4296
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4295
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4294
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4196
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Oct 11 23:03:24 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 3994
Oct 11 23:03:24 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
...
...

BrainStorming: Should the IPv6 Prefix also be listed as Internal Net -> $HOME_NET?

[marjohn56]

If you dig further you'll find that dhcp6c fails to contact the server, hence no IPv6 on the LAN. Already raised this as an issue on Github, but it's a very odd one. I've wiresharked the WAN and I can see the solicit packets on the WAN, but the server does not respond to them. If you switch IPS off, then the server responds.... very odd.

[BeNe]

Already raised this as an issue on Github

Cool, thanks! Can you please post the link here ? I was unable to find it on github.

I've wiresharked the WAN and I can see the solicit packets on the WAN, but the server does not respond to them

Looks like Suricata is blocking the solicit packets and the dhcp6c will never get a IPv6 Prefix ?

[marjohn56]

All very peculiar.


https://github.com/opnsense/core/issues/1632