[CALL FOR TESTING] Suricata 3.0

Started by aldocorleone, November 22, 2015, 08:26:18 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 05, 2015, 04:39:47 PM #15
here ya go It may be worth mentioning that I did some testing and came up with the following.

if WAN & LAN interfaces are selected and IPS mode is enabled the network will die

Disabling IPS and hitting APPLY will NOT bring the network back up. However after disabling IPS rebooting the machine will work.

If WAN is the only interface selected and IPS is enabled the network will DIE

However disabling IPS and hitting APPLY WILL bring the network back up.


This is my read out of the log with both WAN & LAN interfaces selected

Code Select
AFTER ENABLE IPS

root@Chronos:~ # clog /var/log/system.log
nfigd.py: [bf8b749e-ffe7-4f38-8c0a-db6b39698474] Linkup stopping re1
Dec  5 10:20:17 Chronos kernel: re0: link state changed to DOWN
Dec  5 10:20:17 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Dec  5 10:20:19 Chronos kernel: re1: link state changed to UP
Dec  5 10:20:20 Chronos kernel: re0: link state changed to UP
Dec  5 10:20:20 Chronos configd.py: [eaef7faf-4609-43fd-86a8-5093774a3f75] get suricata daemon status
Dec  5 10:20:21 Chronos opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 100.3.220.1.
Dec  5 10:20:21 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup stop re0'
Dec  5 10:20:21 Chronos configd.py: [bdf42287-a538-4aae-bf21-218168b9173a] Linkup stopping re0
Dec  5 10:20:21 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Dec  5 10:20:24 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re1'
Dec  5 10:20:24 Chronos configd.py: [7bfb8f1a-175f-47cd-acf0-8ffa78d48735] Linkup starting re1
Dec  5 10:20:24 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Dec  5 10:20:24 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Dec  5 10:20:24 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting re1.
Dec  5 10:20:24 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: on (IP address: 100.3.220.149) (interface: WAN[wan]) (real interface: re1).
Dec  5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.8.8' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.8.8 fib 0: not in table'
Dec  5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.4.4' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.4.4 fib 0: not in table'
Dec  5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: remove current default route to 100.3.220.1
Dec  5 10:20:25 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting default route to 100.3.220.1
Dec  5 10:20:27 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec  5 10:20:27 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:20:29 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec  5 10:20:29 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:20:30 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec  5 10:20:31 Chronos opnsense: /usr/local/etc/rc.newwanip: Creating rrd update script
Dec  5 10:20:33 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv4 gateway for interface (lan).
Dec  5 10:20:33 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv6 gateway for interface(lan).
Dec  5 10:20:33 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re1
Dec  5 10:20:35 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: remove current default route to 100.3.220.1
Dec  5 10:20:35 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: setting default route to 100.3.220.1
Dec  5 10:20:39 Chronos configd.py: [de34460f-45dc-4b75-9f58-f732535b5fe2] updating dyndns wan
Dec  5 10:20:40 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec  5 10:20:40 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:20:41 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec  5 10:20:41 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:20:42 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec  5 10:20:43 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re0'
Dec  5 10:20:43 Chronos configd.py: [e7d22f9c-ff29-4914-9077-93b74a42be07] Linkup starting re0
Dec  5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Dec  5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Dec  5 10:20:43 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re0
Dec  5 10:20:50 Chronos configd.py: [0a6f8996-927b-4006-b4e2-3bd42dd79fc2] updating dyndns lan

Code Select
AFTER REBOOT (IPS ENABLED) Still no network


: re0: link state changed to DOWN
Dec  5 10:24:35 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Dec  5 10:24:37 Chronos kernel: re1: link state changed to UP
Dec  5 10:24:38 Chronos kernel: re0: link state changed to UP
Dec  5 10:24:39 Chronos opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 100.3.220.1.
Dec  5 10:24:39 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup stop re0'
Dec  5 10:24:39 Chronos configd.py: [f47916a1-60ce-49fd-baaf-ea4d938f179b] Linkup stopping re0
Dec  5 10:24:39 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Dec  5 10:24:42 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re1'
Dec  5 10:24:42 Chronos configd.py: [e1d12024-08f7-4cc8-9cd8-c6a031a98914] Linkup starting re1
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting re1.
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: on (IP address: 100.3.220.149) (interface: WAN[wan]) (real interface: re1).
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.8.8' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.8.8 fib 0: not in table'
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: The command '/sbin/route delete -host 8.8.4.4' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host 8.8.4.4 fib 0: not in table'
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: remove current default route to 100.3.220.1
Dec  5 10:24:42 Chronos opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting default route to 100.3.220.1
Dec  5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec  5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec  5 10:24:45 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:24:46 Chronos opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec  5 10:24:47 Chronos opnsense: /usr/local/etc/rc.newwanip: Creating rrd update script
Dec  5 10:24:49 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv4 gateway for interface (lan).
Dec  5 10:24:49 Chronos opnsense: /usr/local/etc/rc.newwanip: Could not find IPv6 gateway for interface(lan).
Dec  5 10:24:50 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re1
Dec  5 10:24:52 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: remove current default route to 100.3.220.1
Dec  5 10:24:52 Chronos opnsense: /usr/local/etc/rc.linkup: ROUTING: setting default route to 100.3.220.1
Dec  5 10:24:56 Chronos configd.py: [33ed9463-5f3d-4417-8c3b-3f915f99f91d] updating dyndns wan
Dec  5 10:24:56 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'teamdotexe.org'0.cache: 100.3.220.149
Dec  5 10:24:56 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:24:58 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS: updating cache file /conf/dyndns_wanfreedns'www.teamdotexe.org'1.cache: 100.3.220.149
Dec  5 10:24:58 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (www.teamdotexe.org): (Success) No Change In IP Address
Dec  5 10:24:59 Chronos opnsense: /usr/local/etc/rc.dyndns.update: Dynamic DNS (ts3.teamdotexe.org): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Dec  5 10:25:00 Chronos devd: Executing '/usr/local/opnsense/service/configd_ctl.py interface linkup start re0'
Dec  5 10:25:00 Chronos configd.py: [51bb405a-3565-4042-83c9-c1b42b671a32] Linkup starting re0
Dec  5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Dec  5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Dec  5 10:25:00 Chronos opnsense: /usr/local/etc/rc.linkup: Accept router advertisements on interface re0
Dec  5 10:25:06 Chronos configd.py: [c9a4231e-bf66-40f7-b68b-4acbbd7c405b] updating dyndns lan
Dec  5 10:25:10 Chronos sshd[56193]: Accepted keyboard-interactive/pam for root from 10.0.128.106 port 55662 ssh2
Dec  5 10:25:10 Chronos sshlockout[71074]: sshlockout/webConfigurator v3.0 starting up
December 07, 2015, 09:29:40 AM #16
It might be driver/netmap related, but I don't have a similar situation over here using the same hardware to test.
On my end (with intel cards) it works, also with both interfaces selected.

Maybe your issue is solved with FreeBSD 10.2, which will be available some time later, but is already available for testing:
# opnsense -kr 10.2

Last tip, it's better not to include both lan and wan into your IPS setup, it should work, but it's probably not very necessary.
December 10, 2015, 08:49:53 AM #17 Last Edit: December 22, 2015, 08:19:49 AM by franco
Small heads-up: the Suricata 3.0RC3 package is available and must be installed for 15.7.22 development or higher to work correctly:

(AMD64 ONLY)

# pkg install -f opnsense-devel
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.0.r3.txz
December 22, 2015, 08:21:22 AM #18
RC3 is out, snapshots available, see above. :)

http://suricata-ids.org/2015/12/21/suricata-3-0rc3-available/
January 09, 2016, 01:03:01 AM #19
One of the suricata devs has said that RC3 is the last one before the release... Either way, we are shipping RC3 or 3.0 release with 16.1.

https://twitter.com/inliniac/status/684424708448759810

Ladies and Gentlemen, get ready.
January 10, 2016, 08:39:52 AM #20
so excited!
January 20, 2016, 09:46:10 PM #21
It would be great if we could tune suricata.yaml from the GUI.

Per example, the logs are spammed with "SURICATA IPv4 invalid checksum" alerts, so we need to turn that check off in the config.
January 20, 2016, 09:56:42 PM #22
Hi interfaSys,

You should be able to disable the alerts in the alert tab, just search for the rule and click the disable button on the right. Or isn't that what your looking for?
The suricata package installs some rules by default (like decoder-events.rules), maybe we should include these in the settings as well so you can disable them completely.

Regards,

Ad

January 20, 2016, 11:07:45 PM #23
Actually, I'm looking for something different. If I turn off the source, I will disable all the rules it contains if I'm not mistaken.

The Suricata FAQ mentions a "stream.checksum_valdation" setting which should be set to no.

I'm thinking there may be other interesting "tunables" in suricata.yaml
January 20, 2016, 11:13:32 PM #24
Actually, re-reading that FAQ, it seems it's for something unrelated.... I do also have
Code Select
tcp.invalid_checksum      | Total                     | 315

in my logs though, but that might not be that important and disabling the rule is probably the right thing to do.
January 25, 2016, 03:02:45 PM #25
Something new. At one point I wanted to turn off IPS and it became impossible to connect to the WAN. Rebooting or halting the system didn't work either.
When physically turning it off, I got more info: The suricata process was stuck. There were lots of pwaits for it, but suricata just wouldn't die.
January 25, 2016, 06:59:37 PM #26
As it stands, the IPS functionality seems pretty limited if you have more than a simple WAN/LAN setup.

I have
* WAN(phys) + VPN
* LAN(phys) + VLAN1 + VLAN2, etc.

The only interfaces which the IPS can be activated on are WAN and LAN, but there is almost no traffic going through these interfaces.
VPN being a virtual interface, means it cannot be used.
As for LAN, I tried to use it, hoping it would filter all VLANs, but it just breaks the VLANs. They can't connect to their gateways any more.
January 25, 2016, 07:13:20 PM #27
OK, so after a reboot, the LAN interface is filtering all VLANs and devices can connect to their gateways. It's just annoying that it takes a reboot every time.
January 27, 2016, 09:00:46 PM #28
Suricata 3.0 has been released, which is great timing for 16.1. We'll include it. This CFT is over, thanks everyone.

http://suricata-ids.org/2016/01/27/suricata-3-0-available/
Print
Go Up Pages 1 2
User actions