Suricata/IPS not working

[sjjh]

Hi! Running OPNsense 19.7.8-amd64. I tried to set up Suricata as IPS for our network by following the how-to in the manual: https://docs.opnsense.org/manual/how-tos/ips-feodo.html But it doesn't drop packages, e.g. I can download the eicar test virus although I enabled the OPNsense test rule to drop it. All hardware offloading (including for VLANs) is turned off. See screenshots below for the config (in German unfortunately) and a log except. What did I do wrong? I did add the public IP address of OPNsense to the home networks setting, not sure if that is correct. I used the WAN interface (as stated in the how-to) although I read sometimes I shall use the parent interface of the VLAN interfaces, bot sure if that is correct either. Any help is appreciated, feel free to ask for additional information if I forgot something. Thanks in advance! Simon

[Quetschwalze]

If your wan interface is pppoe, which is most common in Germany, it's not going to work. Switch to the lan interface if possible.

Gesendet von meinem MI 9 mit Tapatalk

[sjjh]

Thanks for your reply. We're not using PPPOE, but a static IPv4 fiber interface, see attached screenshot. Any other idea what I did wrong?

[Quetschwalze]

Got it, so PPPoE is not the problem here. You mentioned that your WAN Interface is a VLAN. Did you try to run suricata on the parent interface? It may be worth a try.

[sjjh]

Sorry, I expressed myself there badly. The WAN interface is not using a VLAN, but all the LAN interfaces use VLANs.
(BTW there's no parent interface to select, if I understand that term right. The drop-down list only shows the WAN, LAN, and different VLAN interfaces. No (physical) interfaces like OPT1, OPT2, em0, ix0, egb0, re0, re1, ... are part of the drop-down menu.)
Simon

[sjjh]

Does anybody else have an idea what the problem might be?
Simon

[packetmangler]

Hello,

From my brief testing at home where IPS is working:

I would first remove the external IP from list of local addresses.  I added my external address and filtering stopped working right away.

Also, simply removing the address and clicking Apply was not enough to get the system to block again.  I had to fully stop and restart the service to get the system blocking again.

hth.

[sjjh]

Thanks for your reply.

I would first remove the external IP from list of local addresses.  I added my external address and filtering stopped working right away.

I removed it, restarted the service (and because of some ICAP errors the whole appliance in the end), but unfortunately still don't see any log entries showing that the eicar test file gets blocked... What else should I check?

[dave]

I don't really understand why PPPOE isn't supported, because Suricata's page states the following:

Protocol parsers
    Support for packet decoding of
        IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
        Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN
    App layer decoding of:
        HTTP, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP
        New protocols developed in the Rust language, for safe and fast decoding.

[chemlud]

afaik and iirc it has to do with lousy support of PPPoE in *BSD...

[AdSchellevis]

in IDS mode it's supported, in IPS mode it isn't,  which is also explained here https://forum.opnsense.org/index.php?PHPSESSID=afau4ff0t2ekoe65moq67kacu8&topic=9741.msg64178#msg64178.

We rely on physical interfaces to support IPS mode, ppp type interfaces are virtual. When capturing the physical interface on top, most rules (highly) likely won't match.

Best regards,

Ad

[sjjh]

Please note once again that we're *not* using PPPoE.[1] So the mistake must be somewhere else?
Simon

[1]If I'm bot getting something completely wrong...

[andreaslink]

I'm not sure, but I somehow think your are testing wrong . You expect the eicar test virus to kick in, but that's not what IPS does, this requires AV to be setup in terms of using the proxy and so on.

For IPS you might consider the SHA-1 cert fingerprint test. I just added facebook's current cert fingerprint with an alarm. An then - with a fresh client, who has not yet cached the cert - you can surf on facebook and the log shows the alarm appearing (just let it run for some days with all your clients in the net surfing to facebook). That worked for me and proved it working.
Else my setup is pretty close to yours, just that I'm not using "Promiscues Mode", so that flag is deactivated as I had trouble with my network card ignoring some data when this was hooked.

[sjjh]

Thanks for your reply. I'm sorry, I'm not sure if I get you correctly. What do you mean with

You expect the eicar test virus to kick in, but that's not what IPS does, ...

I did activate the OPNsense icar test rule from https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules as you can see in the screen shots below:


Are you saying, that this rule shouldn't block the ICAR test virus? What else shall it do?

[andreaslink]

Ah, sorry, you are right, there is bunch of new rules in the new version, which I haven't seen yet. I also downloaded and installed the test rules now, I did not prevent the access, but I moved it to "Alarm".
The content of the testrule is very limited:

opnsense.test.rules
drop http any any -> any any (msg:"OPNsense test eicar virus"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; fast_pattern; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:7999999; rev:1;)


So I'll follow your test and report back. Have you considered deactivating the "Promiscues Mode" for testing?