Archive > 17.1 Legacy Series

Intrusion Detection, when enabled IPS not working

(1/7) > >>

Taomyn:
Hi,

I finally got my fresh install up and running at the weekend and got most of the important things working again, but I'm struggling with a few functions. One of them is the Intrusion Detection service.

When I first got things running I had enabled ID, IPS and Promiscuous mode and after choosing some rulesets, setting them to drop, downloading and enabling them, things still looked ok. However during a quick external test I noticed one of my externally accessible websites was not displaying properly and from experience with my previous firewall I first looked at ID. Under alerts I saw blocks related to my site so I immediately disabled ID and the site worked normally - I planned to come back to this later.

Now I have come back to this, I re-enabled ID in order to track down the issue but I'm no longer seeing any alerts logged and the website display correctly. I restarted the service and the firewall numerous times, and it's still not showing any alerts even after waiting nearly a day which doesn't seem right. So I disabled IPS but left ID enabled and tried again. This time I do see alerts, but only "allowed" for alerts labelled "SURICATA" and nothing else.

Any ideas what else to try? For information, my hardware is running in an Intel based mini-ITX PC, and my Internet connection is an Ethernet fibre connection that I connect to with PPPoE with VLAN. Other things like NAT port forwards and HAProxy all seem to be working pretty well.


*Update: amended subject to highlight that it's not working

Taomyn:
Maybe someone can tell me how to completely reset Intrusion Detection without doing a full reset of the everything?


I'd really like to get this up and running now.

Taomyn:
Is anyone able to help me here? No matter what I try to do the best I can get is a few alerts, but any attempt to enable blocking simply doesn't appear to be doing anything.

zash1958:
Absolutely the same here!

IPS activated      --> no one entry in the alert log, no visible action
IPS de-activated --> lots of entries, but all as allowed

Seems the Suricata or the whole opnsense has a grave bug somewhere

franco:
Some stacked PPPoE combinations seem to not work on Suricata. I don't have a reproducible setup so debugging is very very hard. I've asked upstream once, they haven't heard of the issue, but we're one of the most prominent users of Suricata on FreeBSD so that doesn't mean there's no problem. At this point, I don't know how to progress on this front. What can we do?

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.


Cheers,
Franco

Navigation

[0] Message Index

[#] Next page

Go to full version