Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not dropping eicar test file when https
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPS not dropping eicar test file when https (Read 4894 times)
porigromus
Newbie
Posts: 16
Karma: 0
IPS not dropping eicar test file when https
«
on:
May 12, 2019, 05:44:25 am »
Hello, I am new to Opnsense trying to get everything setup. I am hoping someone can give me some troubleshooting tips for the issue I am seeing.
I have configured transparent http/https web proxy and verified when going to https sites my CA is listed as the issuer of the cert and everything shows valid. I have added the "7999999 Drop opnsense.test.rules bad-unknown OPNsense test eicar virus" rule and verified alerts are present when trying to download it at the http link and it is blocked. However when attempting https I am able to download it. There are no alerts present in the ids logs.
I have all interfaces in my IDS configured lan,opt1,opt2,wan
I tried both pattern matchers "hyperscan and aho-corasick". I have also tried promiscuous mode even though I am not using vlan tagging. It should be blocking the file via that same rule when download https right?
Here is my log entry when restarting the ids service:
May 11 23:30:59 suricata: [100159] <Notice> -- all 8 packet processing threads, 4 management threads initialized, engine started. Thanks for any help.
only blocking on 80:
2019-05-11T23:45:41.674353-0400 blocked wan 213.211.198.62 80 34.21.174.42 30170 OPNsense test eicar virus
2019-05-11T23:45:41.674353-0400 blocked wan 213.211.198.62 80 34.21.174.42 30170 OPNsense test eicar virus
«
Last Edit: May 12, 2019, 06:00:42 am by porigromus
»
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: IPS not dropping eicar test file when https
«
Reply #1 on:
May 12, 2019, 10:36:18 am »
I think the plain content is not visible to your IPS - just at your endpoints (client, proxy, server).
In your case, I think you filter WAN and traffic is still encrypted when IPS scans traffic and encrypted again, when leaving proxy to LAN.
If you want to filter HTTPS, you should use a filtering proxy, which is an endpoint and can scan the plain content. Just add c-icap and clamav to your squid. The only place where your HTTPS is terminated and plain visible is inside your proxy process.
«
Last Edit: May 12, 2019, 10:50:02 am by hbc
»
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
porigromus
Newbie
Posts: 16
Karma: 0
Re: IPS not dropping eicar test file when https
«
Reply #2 on:
May 13, 2019, 01:06:23 am »
Thanks again hbc! I think I understand. Since I am monitoring with the IPS at the WAN, inspection is happening before the traffic is decrypted/encrypted by the web proxy. If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?
In my configuration though I will need to add ICAP/ClamAV to the traffic flow to see this at a later flow in the traffic. I think I get it, is there a nice diagram somewhere like a Visio document on a packet flow throughout the various systems? That would be neat.
I do appreciate the help!
«
Last Edit: May 13, 2019, 01:09:12 am by porigromus
»
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: IPS not dropping eicar test file when https
«
Reply #3 on:
May 13, 2019, 07:25:50 am »
Quote
If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?
No, the problem would still exist. It is a transparent proxy. The proxy gets encrypted via HTTPS the content of the server, generates a suitable certificate for the client on-the-fly and sends via HTTPS the traffic encrypted to it.
Even when using the proxy explicit (non-transparent), an encrypted CONNECT-Tunnel between client and server would be established and even proxy would not see any cleartext traffic. Encrypted traffic and server authenticated by certificate. That is HTTPS.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
porigromus
Newbie
Posts: 16
Karma: 0
Re: IPS not dropping eicar test file when https
«
Reply #4 on:
May 13, 2019, 04:10:28 pm »
Thanks for providing further explanation. That helps!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IPS not dropping eicar test file when https