NOT Work for IPv6

[abysscong]

Hi all! First of all, I am very grateful to the opnsense software and the community, which brought me a lot of convenience in my work.

Recently I met a problem, having searched for days I haven't found the solution.

In 'Services: Intrusion Detection', Suricata rules work well for IPv4 traffic, e.g.

Code: [Select]

alert tls any any -> any any (msg:"test google"; tls_sni; content:"google.com"; nocase; priority:1; sid:51000000; rev:1;)It will drop google.com traffic (IPS mode).

But when it turns to IPv6 network, it doesn't work. (No drop, No log)

Code: [Select]

curl -6 -i https://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
...
I also created a 'user defined' rule to test, such as blocking Destination IP '2001:4860:4860::8888', it works and logged the record, which shows IPv6 traffic has gone through the Intrusion Detection.

Any hint? Thanks very much!

[abysscong]

It's opnsense 20.7.3 and suricata 5.0.3.
It's weird that I cannot find any info in neither opnsense web or suricata web and doc, perhaps it may be my own fault? So I come here for help

[mimugmail]

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

[abysscong]

Are you sure the rule is correct?
Can you do a packet capture if curl is really calling this SNI?

Thank you for your reply!
Sure the rule works.

Code: [Select]

curl -4 -i https://google.com

Code: [Select]

blocked LAN_0 10.1.0.40 53838 216.58.209.238 443 test google
Also curl -6 support SNI (reading package is a bit hard in my virtual env, so I use and another way to verify)

Code: [Select]

root@qwe:~# curl -k -I -6 --resolve google.com:443:[2404:6800:4005:810::200e] https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 30 Sep 2020 13:00:20 GMT
expires: Fri, 30 Oct 2020 13:00:20 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

root@qwe:~# curl -k -I -6 --resolve youtube.com:443:[2404:6800:4005:810::200e] https://youtube.com/
HTTP/2 301
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 0
location: https://www.youtube.com/
date: Wed, 30 Sep 2020 13:00:31 GMT
content-type: text/html
server: YouTube Frontend Proxy
x-xss-protection: 0
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"


[abysscong]

And it doesn't work for HTTP rule either.

Code: [Select]

alert http any any -> any any (msg:"HTTP google"; http.host; content:"google.com"; priority:1; sid:91000001; rev:1;)

Code: [Select]

root@qwe:~# curl -4 -i http://google.com
^C

Code: [Select]

blocked LAN_0 10.1.0.40 38848 216.58.209.238 80 HTTP google

Code: [Select]

root@qwe:~# curl -6 -i http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Sep 2020 13:16:54 GMT
Expires: Fri, 30 Oct 2020 13:16:54 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>



[abysscong]

Anyone solve this problem with me?

[seed]

I experience the same issues. My custom ipv6 suricata block rule does not work either.
What can i do to debug this? May this be some kind of configuration issue.

[mimugmail]

Maybe ask in Suricata Forums top?

[seed]

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

[abysscong]

Thanks for your reply and feedback! @mimugmail @seed

I found the solution (in my case).
My user rule was not fully loaded. After rebooting the router my user rule was loaded successfully and applied.
Problem solved for me.

But in my case as you can see, the IPv4 traffic has been successfully blocked, which means the rule was loaded.
In your case I guess your rules are IPv6 address audit? Pure IPv6 address rules works for me too as I've declared before.

[abysscong]

Maybe ask in Suricata Forums top?

Thanks! I have had another thread here but perhaps no progress.
https://forum.opnsense.org/index.php?topic=19358.0