IPS not working

Started by Trelleboy, March 29, 2020, 01:45:32 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 30, 2020, 06:18:07 PM #15
I do also run IPS on WAN interface (put my LAN IP to the Home_NET, WAN is dynamic unfortunately) because it's not possible to run it on the same interface like Sensei. It worked fine, but I note a strange behaviour since version 20.1.3 (or whatever change happened in the meantime).

Before, eicar was detected on eicar.org (http) by the IPS - now it's not. Even not by ClamAV although having a transparent http proxy.

Then, I figured out that there is a strange http redirect behaviour. So the "http" version redirects to https. But unfortunately, it is also not able to detect eicar when I copy and pasted the eicar.org http link directly (Chrome/Firefox/Safari).
Did not further investigate because the test on rexswain.com (eicar blocked by IPS) and wicar.org (eicar blocked by ClamAV) worked. I also put the SHA1 of a known page cert to a custom IPS rule and noted that I get an alert. So I assume it's working.

The http link below does also not work for me in Chrome/Safari as it redirects (sometimes) to HTTPS and Suricata won't block it. But it works in Firefox. Just to keep in mind when you "rely" on such test links. And: It takes time until it's up and really screening/blocking traffic after restarting - even if it's marked "running" in your service monitor. Don't know how many minutes.


Quote from: AdSchellevis on March 30, 2020, 04:35:23 PM
The easiest test, that always works when properly setup is the eicar test over http.
Code Select

curl http://pkg.opnsense.org/test/eicar.com.txt






April 01, 2020, 12:58:33 PM #16
A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

April 01, 2020, 01:12:42 PM #17
April 01, 2020, 03:51:44 PM #18
Quote from: Supermule on April 01, 2020, 12:58:33 PM
A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

I see alerts from the WAN side of things.  I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.
April 01, 2020, 06:28:39 PM #19
I dont see anything on WAN at all...

Its a very different world and GUI from pfsense and I have to get use to that....

I am missing the granular control of things/alerts (small icons next to the alerts)

Quote from: packetmangler on April 01, 2020, 03:51:44 PM
Quote from: Supermule on April 01, 2020, 12:58:33 PM
A small question??

Wouldnt it be nice to see alerts in WAN since its IPS as well??

Who is trying to enter your house and with what?

I mean its better to be safe than sorry and a lot easier to keept them out than trying to get rid of them when they are allready inside and passing traffic on LAN??

I know the ports are blocked anyways, but LAN doesnt tell me what they are trying to accomplish before it happens...

I see alerts from the WAN side of things.  I also run Sensei so I have to use the WAN interface and, for ports that I have forwarded, I'm seeing alerts.
April 08, 2020, 01:48:24 PM #20
Quote from: chemlud on March 30, 2020, 04:10:53 PM
Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

So you are running snart and suricata?
April 08, 2020, 01:51:10 PM #21
Quote from: AdSchellevis on March 30, 2020, 05:20:53 PM
you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.

I have been reading and im very confussed.....beacuse everything is running but the TEST is not getting an alert....

I really like some help to set this up in the right way...
April 08, 2020, 02:16:20 PM #22
Well not its triggering the eicar text - BAM :-)

I have a bridge interface. The LAN option was making the system crashing after 5 min - but coosing the interfaces one but one its working OPT1 OPT2 OPT3. But its still the WAN that is blocking. Should I be happy now because it should be the OPT thats blocked? Does it make " open" sense?  ::)

2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Agent Detected (friendly-scanner)   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Age
April 08, 2020, 02:46:57 PM #23
Quote from: Trelleboy on April 08, 2020, 01:48:24 PM
Quote from: chemlud on March 30, 2020, 04:10:53 PM
Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

So you are running snart and suricata?

The Snort is on a box with PPPoE on WAN, therefore it is still the other "sense"...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages 1 2
User actions