[CALL FOR TESTING] Suricata 3.0

[aldocorleone]

Good afternoon everyone,

First off, I like the opnsense feel and while it still has a common feel to pfsense, I like the tweaks that have been done to it.

I have a couple of questions about it thought.

I mistakenly thought that the suricata implementation provides intrusion prevention (IPS) services, but it does not.  I saw a couple forum hits in that there is some work going on this.  I'm just wondering if there is a rough idea of when this will be made available?

Also, in PFSENSE, there is pfblockerng, is this something that could be ported over to opnsense?

Thank you all.

[AdSchellevis]

Hi,

We're currently working on a full inline IPS option using suricata and netmap, most of the code is already in GitHub and the 16.1 release will contain the final product.
If you want to test the development version, I can add some notes later today on how to install this (a dev package will be available later this week).

As for pfblockerng, pfSense packages are not compatible with OPNsense and we don't want to include any (new) code from pfSense into our codebase for both licensing issues and lack of code quality.
Is there any particular feature your missing at the moment? You can add urls in the alias feature as well, maybe extending that a bit would solve the missing part as well. 

Regards,

Ad

[AdSchellevis]

Hi,

We have been working on the Suricata integration further today and I wanted to give you a sneak preview for what is coming in 16.1 and will be available as beta in the next release (15.7.20).

Enabling this new feature will be very easy, just mark the ips option in "Intrusion Detection":


(Enabling IPS automatically switches the system to use high performance netmap)

The new overview shows the behaviour per rule, enabled/disabled and alert or drop:


Finally you can choose to change the defaults:


I tested it on one of our midrange machines today and have seen throughputs up to 500Mbps using a standard mtu size of 1500 bytes.

** How to install (as of 15.7.20-devel, or using github) **

** SEE BELOW **

Regards,

Ad

[aldocorleone]

Thanks! I might give this a shot.  How's the stability so far? 

As for the pfblocker item.  Using those blacklists was handy, as it would cron update the blacklists so (Spambots, Malware, etc)

It also does deduplication, which I find handy as well.  If this is something that could be added, or alternatives, that would be handy.

I think with Suricata being in IPS mode would help alleviate these concerns a lot, as the default rules has dshield, and will help a lot on the security ends of things.

Thank you for your help!

[AdSchellevis]

I spend a couple of days testing and so far it's looking great.

The url aliases also support updating (Update Freq. (days)), but probably no de-duplication (not sure though).

[franco]

Note that the instructions will change once 15.7.20 is out tomorrow. We also talked to the suricata devs briefly and they have a 2.1 release candidate coming out hopefully this week, but we'll test with beta4 for now, it's looking good so far. 2.1 is scheduled for December, so it'll be the default for OPNsense 16.1. :)

[franco]

Okay, here are the final instructions for testing Suricata IPS on 15.7.20:

# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz

And then it's usable from the GUI. :)

A small blog post can be found here... https://opnsense.org/inline-intrusion-prevention/

Suricata 3.0 release is scheduled for December.

[Solaris17]

I attempted to run the update via GUI after which I had issues logging in, Chrome gives me

This webpage has a redirect loop

ERR_TOO_MANY_REDIRECTS

IE gives me

CSRF check failed

Figuring it was a cache issue i cleared it but the issue remains. (perhaps this is a cookie issue? I have do not track requests enabled does opnsense respect this if so does it require it thus giving me the error?)

I can view and access the login page but actual redirection to the main panel after entering credentials produces the above errors.

I was more trying this build because I have encountered issues wheren suricata would simply stop and would need to be manually restarted after a few days.

[franco]

Bug in the dev version with non-root accounts. You can fix it via:

# cd /usr/local/etc/inc
# fetch https://raw.githubusercontent.com/opnsense/core/f9451641bcc2440722afa207dd153ee0db1edb1a/src/etc/inc/authgui.inc

[Solaris17]

Thanks this worked great!  ;D

[Solaris17]

Ran

Code Select Expand


# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz

Disabled hardware checksum offloading (the only one I had enabled) and enabled IPS and I dropped all internet traffic from inside my LAN. I did not enabled any DROP rules and only have a small list of enabled rules in suricata itself. My interfaces I monitor on are LAN/WAN

Removing LAN from the monitored interfaces and rebooting did not solve the issue.

[franco]

What happens when you disable IPS mode?

[Solaris17]

What happens when you disable IPS mode?

The network will come back online after a reboot of the router.

[AdSchellevis]

If you disable IPS and only apply, is your network resuming normal operation then or do you need a reboot?
If so, can you post the tail of /var/log/system.log (clog /var/log/system.log), maybe we can find a cause there...

[Solaris17]

I will get on this as soon as I dont have a network full of people. Probably this weekend.