[SOLVED] Suricata 4.1.2 does not block traffic

[urfin73]

Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata  version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.

[Space]

Hi,

I can confirm that the file is passed through even if the Alerts state that Action is "blocked".

Best regards,

    Space

[trigger_hippie]

Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.

Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).

I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..

Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)

Greetings,
Tom

EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots

Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..

EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1

[abraxxa]

Blocking facebook using the opnsense.social_media.rules works for me.
Did you disable all nic offloads and reboot?
As the logs show the block the detection seems to work, what does a packet capture show?

[Space]

Hi Abraxxa,

on which interfaces is your IDS listening? WAN or LAN or both?

For me the facebook blocking is not working either but I do not even see alarms for that. On my system IDS is only listening on WAN since LAN/OPT1 are currently monitored by Sensei.

Best regards,

    Space

[abraxxa]

LAN which is really re1 with promicious mode because of VLAN tagging.
To get that working I had to disable VLAN hardware filtering in Interfaces / Settings else all packets where sent without a VLAN header.

[urfin73]

I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1

Hello!
Tell me how to install suricata 4.0.5 in opnsense 19.1?
Best Regards/

[urfin73]

Also, for some reason, disappeared list with action setting (drop/alert) in "Alert info" window. It is not comfortable. Nobody knows how to return?

[xames]

dont work on me too, i have lan, and 3 wans. hyperscan.

[Sahbi]

Same here, the alerts log tries to convince me it was blocked but I can still download it:

Code: [Select]

2019-02-13T21:54:45.157026+0100 blocked LAN 213.211.198.62 80 192.168.1.101 57486 OPNsense test eicar virus


Code: [Select]

user@linuxvm$ rm -f eicar.com.txt ; wget http://www.eicar.org/download/eicar.com.txt 2>/dev/null ; cat eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I asked about it in their IRC but I've yet to receive a response.

[trigger_hippie]

There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

[trigger_hippie]

I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.

[Sahbi]

There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.

[Space]

There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.

I can confirm that! Thanks for the quick response and great support as usual!

[franco]

Looks like that took everyone by surprise. https://redmine.openinfosecfoundation.org/issues/2811

Workaround will be in 19.1.2. Patch can be applied safely in the meantime:

# opnsense-patch 86957375


Cheers,
Franco

https://github.com/opnsense/core/commit/86957375