Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
« previous
next »
Print
Pages: [
1
]
Author
Topic: [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!) (Read 4062 times)
ruggerio
Sr. Member
Posts: 295
Karma: 11
[solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
on:
August 20, 2019, 12:12:17 pm »
i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?
I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.
Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)
«
Last Edit: August 29, 2019, 02:56:05 pm by ruggerio
»
Logged
nickthegreat
Newbie
Posts: 3
Karma: 0
Re: on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #1 on:
August 23, 2019, 11:10:00 pm »
I am seeing the same thing. I have three running OpnSense installations, 2 physical and 1 virtual (ProxMox/Qemu). Each of them I have tried to enable some of the key ET IPS rules, and like you I have it in IPS mode. I don't see ANY alerts, and whenever I stop/restart a the service I see logs that say millions of packets were inspected, but none were dropped.
Aug 23 17:07:34 suricata: [100204] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Aug 23 17:07:34 suricata: [100096] <Notice> -- This is Suricata version 4.1.4 RELEASE
Aug 23 17:07:34 suricata: [100080] <Notice> -- Stats for 'em1+': pkts: 7798, drop: 0 (0.00%), invalid chksum: 0
Aug 23 17:07:34 suricata: [100080] <Notice> -- Stats for 'em1': pkts: 10818, drop: 0 (0.00%), invalid chksum: 0
Aug 23 17:07:34 suricata: [100080] <Notice> -- Stats for 'em0+': pkts: 4696, drop: 0 (0.00%), invalid chksum: 0
Aug 23 17:07:34 suricata: [100080] <Notice> -- Stats for 'em0': pkts: 6633, drop: 0 (0.00%), invalid chksum: 0
Aug 23 17:07:33 suricata: [100080] <Notice> -- Signal Received. Stopping engine.
Aug 23 16:58:20 suricata: [100080] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
I have mine running in promiscuous mode since I am monitoring multiple interfaces. Glad to see I'm not the only one with this issue.
Logged
nickthegreat
Newbie
Posts: 3
Karma: 0
Re: on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #2 on:
August 23, 2019, 11:25:40 pm »
Also, I should have mentioned that all three firewalls are new installs, this week, so all 19.7.2, and since they're new, I have no history of them ever working.
Logged
nickthegreat
Newbie
Posts: 3
Karma: 0
Re: on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #3 on:
August 27, 2019, 04:00:05 am »
Well, FWIW - I was wondering if for some reason suricata wasn't properly receiving or processing the packets, but clearly it is running the packets through the basic protocol filters. I'm surprised that I've seen this on three installations and more people aren't reporting the same...
------------------------------------------------------------------------------------
Date: 8/26/2019 -- 00:00:07 (uptime: 1d, 16h 40m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 33143371
decoder.pkts | Total | 33143371
decoder.bytes | Total | 34668938813
decoder.ipv4 | Total | 31763845
decoder.ipv6 | Total | 73391
decoder.ethernet | Total | 33143371
decoder.tcp | Total | 31052819
decoder.udp | Total | 725908
decoder.icmpv4 | Total | 1949
decoder.icmpv6 | Total | 53203
decoder.avg_pkt_size | Total | 1046
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 71529
flow.udp | Total | 63976
flow.icmpv4 | Total | 173
flow.icmpv6 | Total | 6375
decoder.ipv4.opt_pad_required | Total | 3357
decoder.ipv6.zero_len_padn | Total | 1844
decoder.tcp.opt_invalid_len | Total | 2
tcp.sessions | Total | 70790
tcp.invalid_checksum | Total | 3
tcp.syn | Total | 77920
tcp.synack | Total | 52316
tcp.rst | Total | 48878
tcp.pkt_on_wrong_thread | Total | 23061815
tcp.stream_depth_reached | Total | 668
tcp.overlap | Total | 1574135
tcp.overlap_diff_data | Total | 137
app_layer.flow.http | Total | 4728
app_layer.tx.http | Total | 32524
app_layer.flow.ftp | Total | 2
app_layer.flow.tls | Total | 29701
app_layer.flow.enip | Total | 1
app_layer.flow.ntp | Total | 3062
app_layer.flow.tftp | Total | 4
app_layer.flow.ikev2 | Total | 10
app_layer.flow.dhcp | Total | 683
app_layer.flow.failed_tcp | Total | 15552
app_layer.flow.dns_udp | Total | 46173
app_layer.tx.dns_udp | Total | 106403
app_layer.tx.enip | Total | 1
app_layer.tx.ntp | Total | 3301
app_layer.tx.tftp | Total | 4
app_layer.tx.ikev2 | Total | 20
app_layer.flow.krb5_udp | Total | 2
app_layer.tx.dhcp | Total | 1659
app_layer.flow.failed_udp | Total | 14041
flow_mgr.closed_pruned | Total | 49647
flow_mgr.new_pruned | Total | 40639
flow_mgr.est_pruned | Total | 51538
flow.spare | Total | 10000
flow.tcp_reuse | Total | 1
flow_mgr.flows_checked | Total | 1
:
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #4 on:
August 27, 2019, 07:46:09 am »
well, i did not check this, all i was looking was the alarm tab.
But still, lots of pakets checked, does not mean, it has to alarm.
I was putting a 2nd apu on my cablemodem, with ipfire on it, an yay, the list was slightly different...
Just to make sure: suricata should block traffic, before it gets to the firewall, isn't it?
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: [solved, but not good]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #5 on:
August 29, 2019, 02:55:28 pm »
so ok, i was struggling around a lot now with this.
today, i was without any idea and changed from hyperscan to aho-cohasick and...wow
now, my alerts are filled with messages.
Could it be, that hyperscan does not work as expected? in each case, i got 2-3 messages within one week on hyperscan, on aho-cohasick i got lots of within minutes.
As i think, that most of use hyperscan, which is recommended for performance, there seems to be kind of a bug. Could anybody check this too? If it would be the same, we should file a bug on github.
Roger
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #6 on:
August 29, 2019, 03:23:44 pm »
I dont use it in production, but does your CPU support Hyperscan?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #7 on:
August 29, 2019, 03:50:13 pm »
checked this before, i knew, the question came
root@antigua:~ # dmesg | grep -i SSE
Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,
SSE,SSE2
,HTT>
Features2=0x3ed8220b<SSE3,PCLMULQDQ,MON,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AESNI,XSAVE,OSXSAVE,AVX,F16C>
AMD Features2=0x1d4037ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT,Topology,PNXC,DBE,PTSC,PL2I>
its a pc-engines apu4, with i210t nics, amd processor
«
Last Edit: August 29, 2019, 03:52:34 pm by ruggerio
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #8 on:
August 29, 2019, 03:57:53 pm »
Sorry, I'm no professional at this, maybe this is totally wrong, I always thought Hyperscan is intel-only technology.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)
«
Reply #9 on:
August 29, 2019, 04:05:04 pm »
meetoo, but i read somewhere, that amd+sse also work for hyperscan.
https://de.wikipedia.org/wiki/Streaming_SIMD_Extensions
(sorry, in german)
btw. interesting information in dmidecode:
Handle 0x0004, DMI type 4, 42 bytes
Processor Information
Socket Designation: Not Specified
Type: Central Processor
Family: Pentium Pro
Manufacturer: AuthenticAMD
ID: 01 0F 73 00 FF FB 8B 17
Signature: Type 0, Family 22, Model 48, Stepping 1
Flags:
FPU (Floating-point unit on-chip)
VME (Virtual mode extension)
DE (Debugging extension)
PSE (Page size extension)
TSC (Time stamp counter)
MSR (Model specific registers)
PAE (Physical address extension)
MCE (Machine check exception)
CX8 (CMPXCHG8 instruction supported)
APIC (On-chip APIC hardware supported)
SEP (Fast system call)
MTRR (Memory type range registers)
PGE (Page global enable)
MCA (Machine check architecture)
CMOV (Conditional move instruction supported)
PAT (Page attribute table)
PSE-36 (36-bit page size extension)
CLFSH (CLFLUSH instruction supported)
MMX (MMX technology supported)
FXSR (FXSAVE and FXSTOR instructions supported)
SSE (Streaming SIMD extensions)
SSE2 (Streaming SIMD extensions 2)
HTT (Multi-threading)
«
Last Edit: August 29, 2019, 04:07:36 pm by ruggerio
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)