Intrusion Detection, when enabled IPS not working

[Taomyn]

Hi,

I finally got my fresh install up and running at the weekend and got most of the important things working again, but I'm struggling with a few functions. One of them is the Intrusion Detection service.

When I first got things running I had enabled ID, IPS and Promiscuous mode and after choosing some rulesets, setting them to drop, downloading and enabling them, things still looked ok. However during a quick external test I noticed one of my externally accessible websites was not displaying properly and from experience with my previous firewall I first looked at ID. Under alerts I saw blocks related to my site so I immediately disabled ID and the site worked normally - I planned to come back to this later.

Now I have come back to this, I re-enabled ID in order to track down the issue but I'm no longer seeing any alerts logged and the website display correctly. I restarted the service and the firewall numerous times, and it's still not showing any alerts even after waiting nearly a day which doesn't seem right. So I disabled IPS but left ID enabled and tried again. This time I do see alerts, but only "allowed" for alerts labelled "SURICATA" and nothing else.

Any ideas what else to try? For information, my hardware is running in an Intel based mini-ITX PC, and my Internet connection is an Ethernet fibre connection that I connect to with PPPoE with VLAN. Other things like NAT port forwards and HAProxy all seem to be working pretty well.


*Update: amended subject to highlight that it's not working

[Taomyn]

Maybe someone can tell me how to completely reset Intrusion Detection without doing a full reset of the everything?


I'd really like to get this up and running now.

[Taomyn]

Is anyone able to help me here? No matter what I try to do the best I can get is a few alerts, but any attempt to enable blocking simply doesn't appear to be doing anything.

[zash1958]

Absolutely the same here!

IPS activated      --> no one entry in the alert log, no visible action
IPS de-activated --> lots of entries, but all as allowed

Seems the Suricata or the whole opnsense has a grave bug somewhere

[franco]

Some stacked PPPoE combinations seem to not work on Suricata. I don't have a reproducible setup so debugging is very very hard. I've asked upstream once, they haven't heard of the issue, but we're one of the most prominent users of Suricata on FreeBSD so that doesn't mean there's no problem. At this point, I don't know how to progress on this front. What can we do?

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.


Cheers,
Franco

[Taomyn]

Hmmm, that's not good news. I'm really loathed to now go back to Sophos UTM where at least IPS was working but had other issues I was not happy with.

[franco]

The only thing it may take to fix this is a real user report here https://redmine.openinfosecfoundation.org/projects

I repeat that we are one of the most prominent users of Suricata IPS (not IDS) on FreeBSD so that if we as a community can't act on the problem it likely won't go away.

I don't have the setup so I am useless here other than encouraging others to step up.

[Taomyn]

I'll happily add my own comments to someone with better knowledge that can create the ticket describing the issue in a more technical manner than I can. I'm not a firewall expert, just an enthusiast running one.

[franco]

We just need the following:

A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:

Affected Versions: Suricata 3.1.1 on FreBSD 10.3

expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets

Notes: IDS (pcap mode) can capture packets ok

I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?


Cheers,
Franco

[Space]

Hi,

The other setup issue is using a bridged interface, which doesn't work for IPS because it requires real NIC driver to attach to.

is IPS attaching to both interfaces (WAN/LAN) if enabled? Because I tried to setup OPNsense inside a VM (WAN: physical interface passed through into VM, LAN: bridged with host interface) and it did not work -- the VM crashed if I remember correctly. Is that caused by this?

Thanks,

   Space

[franco]

Hi Space,

In short: no.

Selecting LAN + WAN means physical devices, not bridging. As long as you don't use a device bridge in the OPNsense config that is fine. The host bridge feature of your VM is underneath the virtual hardware driver.

Make sure you use the Intel e1000 driver in a VM (virtio is shaky), and better yet use the os-intel-em plugin that will be available in 16.7.4 so that it's clear this can't be a driver issue of some sorts.

Suricata 3.1.2 will be out in 16.7.4 as well. If the crash reappears, can we get more info about it?


Cheers,
Franco

[Taomyn]

Now that I have updated to 16.7.5 etc and have a little more free time, I'm ready to grab the information you need - I just need step-by-step instructions on how to do it as I'm not that familiar with this kind of OS.

We just need the following:

A few variables of the affected devices and an anonymised "ifconfig" dump (the stack in this case: physical interface, vlan?, pppoe) and the expected and observed behaviour:

Affected Versions: Suricata 3.1.1 on FreBSD 10.3

expected: IPS (netmap) captures packets and generates alerts
observed: IPS I(netmap) does not capture any packets

Notes: IDS (pcap mode) can capture packets ok

I have a bug tracker account there so I could open the ticket a long as I can delay the questions the devs there have to you?


Cheers,
Franco

[franco]

Hi Taomyn,

You simply run this from SSH:

# ifconfig

Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").

16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.


Cheers,
Franco

[Taomyn]

I PM'd you the info

Hi Taomyn,

You simply run this from SSH:

# ifconfig

Remove the public IP addresses (or send the dump to me via PM to anonymise it) and let us know how your WAN is set up (PPPoE - with or without VLAN, which physical interface, e.g. "em0").

16.7.5 is Suricata 3.1.2, it would be good to know the behaviour is reproducible there too. Just let us know you're running/not running this version.


Cheers,
Franco

[Taomyn]

Franco, did you get my PM and log a ticket for it?