Suricata not doing anything on VMXNET3 interfaces

Started by klontje, July 31, 2020, 01:45:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 31, 2020, 01:45:33 AM
Hello, I am running OPNsense 20.1.9 on VMWare ESXi 6.7. All my interfaces are VMXNET3 interfaces, with which I am very happily can achieve perfect gigabit network speeds.

I wanted to give IDS a shot, and enabled Suricata according to the guidance:

  • disabled offloading (and rebooted)
  • enabled IDS/Suricata
  • selected my WAN and LAN interface
  • Selected a bunch of rules for downloading
  • enabled the rules (including OPNsense test rule for Eicar)
  • Checked the log file which to me looks all good (see below)

Unfortunately I am still able to download the eicar virus, and there are no alerts logged or packets dropped (eicar test rule is set to drop). I tried with all different pattern matchers, I tried promiscious mode, I tried with IPS mode on and off, but nothing helps. It just wont match any rules as if it is not looking at any traffic.

After reading a bit about this, I am thinking it might be the VMXNET3 interfaces, but would like your experiences with these and see if I missed anything. Below my logfile.

Code Select

2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0+':  pkts: 32259, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0':  pkts: 143337, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1+':  pkts: 195350, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1':  pkts: 97232, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Signal Received.  Stopping engine.
2020-07-31T01:24:07 suricata: [100182] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2011544 and 3 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
2020-07-31T01:23:53 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-07-31T01:23:53 suricata: [100243] <Notice> -- This is Suricata version 4.1.8 RELEASE
July 31, 2020, 06:01:22 AM #1
IPS mode enabled?
July 31, 2020, 10:28:05 AM #2
Quote from: mimugmail on July 31, 2020, 06:01:22 AM
IPS mode enabled?

See my original post:

Quote from: klontje on July 31, 2020, 01:45:33 AM
I tried with IPS mode on and off
July 31, 2020, 11:25:26 AM #3
Can you download the eicar test file via CLI like fetch or wget?
Newer browser froce https also when you add http without "s" .. Suricata will not detect the encrypted stream.
July 31, 2020, 11:49:33 AM #4
Did you permit promiscuous mode in VMware for your interfaces?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 01, 2020, 10:19:16 AM #5
So in the end I decided to upgrade to OpnSense 20.7 which solved the problem of not detecting anything. It did introduce another issue, which is that as soon as I enable IPS mode OpnSense crashes (but alerting is fine with me).
Print
Go Up Pages1
User actions