Intrusion Detection, when enabled IPS not working

[franco]

I got the PM. Did not create a ticket yet. Sorry for the delay.

[Taomyn]

I got the PM. Did not create a ticket yet. Sorry for the delay.

No problem, I was more concerned that you didn't receive the information from me and was still waiting.

[franco]

The ticket was opened today: https://redmine.openinfosecfoundation.org/issues/1925

[Taomyn]

   let me know if you/they require any more info from my setup.

[franco]

Will do. Right now, it's more of a technical discussion to locate the actual underlying issue.


Thanks,
Franco

[Taomyn]

Anything happening about this?

[franco]

Progress was slow: we exchanged a few emails and another user here provided trace files on top of the non-working config. We don't have an outlook just yet.

[Taomyn]

Any news?

[franco]

We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.

[Taomyn]

We did talk about it with Victor from Suricata and he said the PPPoE doesn't look different, but for some reason the traffic is not properly processed. We're missing some bit of intel (or a reproducible setup) without which we cannot continue to uncover the underlying issue.

So what can I provide you from my setup to hopefully give you what is missing? I'll happily install/config things to get more diagnostics if that would help.

[Taomyn]

Now that v17 has been out a while, any chance of re-visiting this issue?


Also, can this thread be moved to the v17 sub-forum seeing as it applies to it as well?

[franco]

Moved as requested. A netmap bug with Suricata / FreeBSD 12-CURRENT and another IPsec have priority at the moment.

[elektroinside]

Hi guys,

Same issue here, no IDS/IPS on PPPoE.
Is there something I can help with?

I'm on base/kernel 18.1.b, everything up to date.
OPNsense 17.7.11-amd64
FreeBSD 11.1-RELEASE-p2
LibreSSL 2.5.5

Just switched from pfsense a few days ago. Everything looks so much nicer here, the code, the quality, the community, the support. I'm happy I switched. Thank you for all your hard work!

[franco]

Hi there,

This issue is still beyond our reach. Suricata now considers Netmap and FreeBSD a first level support tier, although that won't help us if the FreeBSD kernel side is not up to the task, which is the case here.

For the most part it's recommended to run Suricata on the internal networks, not the PPPoE WAN interfaces where this issue does not apply as well. It may require tweaking the HOME_NET setting under the advanced options.


Cheers,
Franco

[elektroinside]

Indeed. Well, things are looking good anyway on the LAN side, for now, without any tweakings as per this setup. Hopefully, the kernel will be updated soon or workarounds implemented for this to work properly.

Thanks Franco!