[SOLVED] Suricata 4.1.2 does not block traffic

Started by urfin73, February 01, 2019, 12:25:51 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 01, 2019, 12:25:51 PM Last Edit: February 28, 2019, 10:32:03 PM by franco
Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata  version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.
February 01, 2019, 05:27:10 PM #1
Hi,

I can confirm that the file is passed through even if the Alerts state that Action is "blocked".

Best regards,

    Space
February 02, 2019, 02:47:54 AM #2 Last Edit: February 02, 2019, 06:50:42 PM by trigger_hippie
Hi! One more confirmation from my side. Blocking is not fully functional in Suricata 4.1.2.

Blocks do occur, but 2 out of 4 test downloads of eicar.com file won't be blocked. Same goes for the rules like abuse.ch (i tried *.co.cc rule in my testing).

I run OPNsense in a virtual enviroment, VMware ESXi, on a Qotom Intel i3 box with Intel chipset..

Something has gone wrong with this version? I can provide further details to try and find the culprit (debugs, logs?)

Greetings,
Tom

EDIT:
Just to add more details: OPNsense 19.1, Suricata 4.1.2_1
Allthough logs show me eicar is blocked, the file is succesfully downloaded
- attached screenshots

Reverting back to Suricata 4.0.5 is not an option for me at the moment, since i need to revert back to OPNsense 18.7 due to GeoIP dependencies..

EDIT2:
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1 and blocking is working once again. Tested with a few rules including abuse.ch and eicar.
To conclude - Suricata 4.1.2 NOT working properly on OPNsense 19.1

February 02, 2019, 10:11:54 PM #3
Blocking facebook using the opnsense.social_media.rules works for me.
Did you disable all nic offloads and reboot?
As the logs show the block the detection seems to work, what does a packet capture show?
February 03, 2019, 06:27:18 PM #4
Hi Abraxxa,

on which interfaces is your IDS listening? WAN or LAN or both?

For me the facebook blocking is not working either but I do not even see alarms for that. On my system IDS is only listening on WAN since LAN/OPT1 are currently monitored by Sensei.

Best regards,

    Space
February 03, 2019, 09:27:18 PM #5
LAN which is really re1 with promicious mode because of VLAN tagging.
To get that working I had to disable VLAN hardware filtering in Interfaces / Settings else all packets where sent without a VLAN header.
February 04, 2019, 07:03:33 AM #6
Quote from: trigger_hippie on February 02, 2019, 02:47:54 AM
I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1
Hello!
Tell me how to install suricata 4.0.5 in opnsense 19.1?
Best Regards/
February 04, 2019, 07:37:44 AM #7
Also, for some reason, disappeared list with action setting (drop/alert) in "Alert info" window. It is not comfortable. Nobody knows how to return?
February 10, 2019, 04:05:08 PM #8
dont work on me too, i have lan, and 3 wans. hyperscan.
February 14, 2019, 07:47:25 AM #9
Same here, the alerts log tries to convince me it was blocked but I can still download it:
Code Select

2019-02-13T21:54:45.157026+0100 blocked LAN 213.211.198.62 80 192.168.1.101 57486 OPNsense test eicar virus


Code Select

user@linuxvm$ rm -f eicar.com.txt ; wget http://www.eicar.org/download/eicar.com.txt 2>/dev/null ; cat eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


I asked about it in their IRC but I've yet to receive a response.
February 14, 2019, 08:29:22 AM #10
There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..
February 14, 2019, 07:48:19 PM #11
I can confirm that everything works after patching 4.1.2_1 version. Tested with eicar, urlhaus and a few policy rules.
February 14, 2019, 08:32:26 PM #12
Quote from: trigger_hippie on February 14, 2019, 08:29:22 AM
There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.
February 14, 2019, 10:38:40 PM #13
Quote from: Sahbi on February 14, 2019, 08:32:26 PM
Quote from: trigger_hippie on February 14, 2019, 08:29:22 AM
There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.

I can confirm that! Thanks for the quick response and great support as usual!
February 15, 2019, 04:01:51 PM #14
Looks like that took everyone by surprise. https://redmine.openinfosecfoundation.org/issues/2811

Workaround will be in 19.1.2. Patch can be applied safely in the meantime:

# opnsense-patch 86957375


Cheers,
Franco

https://github.com/opnsense/core/commit/86957375
Print
Go Up Pages1 2
User actions