Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata/IPS not working
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: Suricata/IPS not working (Read 15121 times)
andreaslink
Jr. Member
Posts: 58
Karma: 4
Re: Suricata/IPS not working
«
Reply #15 on:
February 13, 2020, 08:20:57 am »
@sjjh I have tested it now for some days with different constellations and I can second, this does not work. But I still don't think it's necessarily related to the IDS/IPS setup, I guess it's still about the test. Can anyone prove the OPNsense-eicar-test to be working? I can still see impacts from outside which appear in my log if I'm attacked from outside on WAN (see attached screenshot). But I cannot trigger eicar download prevention either.
I'll read more into surricata and rules generation and will create my own rule, as I think it's somehow related to the fingerprint within the test. But this is just an assumption.
Logged
Running OPNsense on 4 core Intel Xeon E5506, 20GB RAM, 2x Broadcom NetXtreme II BCM5709, 4x Intel 82580
Ubench Single CPU: 307897 (0.39s)
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Suricata/IPS not working
«
Reply #16 on:
February 13, 2020, 08:53:32 am »
there you go, easy eicar test, always works on all of our setups with our eicar test rule enabled (from a unix/linux host behind the firewall):
Code:
[Select]
curl http://www.eicar.org/download/eicar.com
remember to download eicar over http, the rule doesn't match encrypted traffic
[https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1]
Logged
andreaslink
Jr. Member
Posts: 58
Karma: 4
Re: Suricata/IPS not working
«
Reply #17 on:
February 13, 2020, 12:35:14 pm »
Thank you very much for sharing this @AdSchellevis, this gives way more input and I can immediately prove it's working. I've tested opening your URL in the browser on two different clients (iPhone Safari and in Linux Chromium) as you can see on the
screenshot
.
PS: There is no chance of embedding attached screenshots within my reply, is it?
Logged
Running OPNsense on 4 core Intel Xeon E5506, 20GB RAM, 2x Broadcom NetXtreme II BCM5709, 4x Intel 82580
Ubench Single CPU: 307897 (0.39s)
andreaslink
Jr. Member
Posts: 58
Karma: 4
Re: Suricata/IPS not working
«
Reply #18 on:
February 13, 2020, 12:35:57 pm »
Non-the-less I expected it to behave slightly different, which is explaining the case now. IPS seems to only be triggered by the full separated eicar file - which kind of makes sense as the fingerprint is generated of the whole file, isn't it? But when I open the website, where the eicar-string as such is only included, nothing happens (see
screenshot
) - and always opening insecure with http of course.
Logged
Running OPNsense on 4 core Intel Xeon E5506, 20GB RAM, 2x Broadcom NetXtreme II BCM5709, 4x Intel 82580
Ubench Single CPU: 307897 (0.39s)
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata/IPS not working