Suricata/IPS not working

[andreaslink]

@sjjh I have tested it now for some days with different constellations and I can second, this does not work. But I still don't think it's necessarily related to the IDS/IPS setup, I guess it's still about the test. Can anyone prove the OPNsense-eicar-test to be working? I can still see impacts from outside which appear in my log if I'm attacked from outside on WAN (see attached screenshot). But I cannot trigger eicar download prevention either.

I'll read more into surricata and rules generation and will create my own rule, as I think it's somehow related to the fingerprint within the test. But this is just an assumption.

[AdSchellevis]

there you go, easy eicar test, always works on all of our setups with our eicar test rule enabled (from a unix/linux host behind the firewall):

Code Select Expand


curl http://www.eicar.org/download/eicar.com


remember to download eicar over http, the rule doesn't match encrypted traffic :)

[https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1]

[andreaslink]

Thank you very much for sharing this @AdSchellevis, this gives way more input and I can immediately prove it's working. I've tested opening your URL in the browser on two different clients (iPhone Safari and in Linux Chromium) as you can see on the screenshot.

PS: There is no chance of embedding attached screenshots within my reply, is it?

[andreaslink]

Non-the-less I expected it to behave slightly different, which is explaining the case now. IPS seems to only be triggered by the full separated eicar file - which kind of makes sense as the fingerprint is generated of the whole file, isn't it? But when I open the website, where the eicar-string as such is only included, nothing happens (see screenshot) - and always opening insecure with http of course.