IPS not working

[Trelleboy]

Well I can read there is a lot of confussion about Suricata. My X86 tells me that proofpoint its running - but its not. The other day it told me my vpn was running but it was not - but I will not accept not to have at least tried the IPS running.

Can anyone help me to get the IPS running. Thats why I wanted to the Open sense in the first place.

Im running 20.1.3 on a X86 with a lot of power.

A have tried to test it with eicar, but it seems dead. I have removed all lokal networks and its set to Wan.

One other thing is that telemetry is not autoupdating - but all the others are inside IPS.

[Trelleboy]

I have discovered why the WAN interface practically showed no alerts/blocks. There is a note on the OPNsense documentation page for intrusion detection which states that if you are using NAT, which most home users will be doing, that you need to set the WAN interface IP address to the list in “Home network” section of the intrusion detection settings page. You will need to click the “Advanced” button at the top of the page to see this configuration option. It should already have all private IP address space included.

Simply add your WAN IP address. If your WAN address changes, this will need updated. It may be possible to use a dynamic DNS service and put the hostname in the list. I do not know if hostnames are supported but it quite possible it will work. I have found that hostnames will work in places where IP addresses can be entered (like firewall rules and aliases).

THAT works - but dont reboot :-)

[chemlud]

No, DynDNS names don't work, you get a validation error

Code: [Select]

please specify a valid network segment or address (IPv4/IPv6)
...

[Supermule]

I have the same issue. Suricata not running/logging any packets at all.

2020-03-30T13:32:12   suricata[30160]: [101773] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-03-30T13:31:27   suricata[30160]: [101773] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T13:31:27   suricata[30160]: [101773] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T13:31:09   suricata: [101773] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-03-30T13:31:08   suricata: [100952] <Notice> -- This is Suricata version 4.1.7 RELEASE
2020-03-30T13:31:08   suricata[90916]: [100667] <Notice> -- Stats for 'em0+': pkts: 42028, drop: 0 (0.00%), invalid chksum: 0
2020-03-30T13:31:08   suricata[90916]: [100667] <Notice> -- Stats for 'em0': pkts: 42778, drop: 0 (0.00%), invalid chksum: 1
2020-03-30T13:31:08   suricata[90916]: [100667] <Notice> -- Signal Received. Stopping engine.
2020-03-30T13:31:08   suricata[90916]: [100667] <Notice> -- rule reload complete
2020-03-30T13:30:21   suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T13:30:21   suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T13:30:02   suricata[90916]: [100667] <Notice> -- rule reload starting
2020-03-30T12:09:42   suricata[90916]: [100667] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-03-30T12:08:57   suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2020-03-30T12:08:57   suricata[90916]: [100667] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
2020-03-30T12:08:39   suricata: [100667] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-03-30T12:08:38   suricata: [100995] <Notice> -- This is Suricata version 4.1.7 RELEASE
2020-03-30T12:08:38   suricata[69961]: [100712] <Notice> -- Stats for 'em0+': pkts: 770803, drop: 0 (0.00%), invalid chksum: 0
2020-03-30T12:08:38   suricata[69961]: [100712] <Notice> -- Stats for 'em0': pkts: 977361, drop: 0 (0.00%), invalid chksum: 1

I dont have the feel of control like I have in Pfsense regarding the Suricata implementation...

It hurts since I really dont dig the guys behind netgate and I am very fond of opnsense...

[AdSchellevis]

Hi,

I've probably posted this before, but if your running IDPS on your wan interface and Suricata is active, you're likely using the wrong interface.

The docs (https://docs.opnsense.org/manual/ips.html) explain a bit why you should use ID[P]S pre-nat as well, most rules assume the local network to be visible, which isn't the case when your capturing packets post-nat.

In some (very rare) cases you might want to use your wan interface as home network, in which case you could configure it manually, but since most home networks have dhcp like setups, this often isn't very practical. (the home networks should be static)

Best regards,

Ad

[Supermule]

Using WAN (em0) and running Inline mode

[chemlud]

Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

[Supermule]

AS of now I have no idea what Suricata is doing at what it finds...

And I cant control what is allowed and whats not.

[AdSchellevis]

let's agree to disagree, a lot of alerts doesn't really tell a lot about the quality of the setup. Most ET-open/pro rules are quite properly targeted preventing false-positives.

The easiest test, that always works when properly setup is the eicar test over http.

Code: [Select]

curl http://pkg.opnsense.org/test/eicar.com.txt

https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1

[Supermule]

It triggers nothing.

[AdSchellevis]

use lan....

[Supermule]

Why??

Are Suricata not supposed to be IDS and therefore INtrusion aware? Alerts for what is found to be trying to get in?

And LAN supposed to be what comes from the inside and derived from servers and workstations??

[AdSchellevis]

Usually you don't accept a lot of inbound traffic on wan (default block), most threats are triggered inside. knowing that someone fired a package to your firewall that would have been blocked anyway, isn't very relevant info either (it's not that you can block it more than you already did).

Since you're behind NAT, a lot of the concept of IDS got lost, since you can't distinct homenet from the big bad outside world. If your in a routed (non nat) environment, you can measure on wan as well, most IDS setups aren't inline anyway, in which case you wouldn't know about wan/lan only see traffic with proper notion of what's inside and outside (defined as HOMENET).

If you can spare some time, it's a good idea to read a bit about the rules of the engine (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html), the first portion of the rule often explains pretty well why "home" is so important (e.g. https://rules.emergingthreats.net/open/suricata-4.0/rules/emerging-exploit.rules)

[Supermule]

Thank you

Reading as we speak...

[AdSchellevis]

you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.