English Forums > Intrusion Detection and Prevention
IDS questions
Redyr:
--- Quote from: dcol on October 14, 2016, 10:38:51 pm ---Thanks, I submitted a feature request on GitHub for custom rules.
--- End quote ---
Hello @dcol,
Sorry to write you here, but on that other forum I can't write anymore. I read @jwt's response, that ultimatelly Suricata is not a concern for pfSense. Did you tried Suricata on OPNsense, is it working, I mean the inline mode? Also I did not understand what Franco said about importing the rules? Can we import rules from pfsense easilly if I switch to OPNsense?
Thanks
franco:
Hi Redyr,
In practice Suricata inline mode works well in most combinations. After all, Suricata 3.0 with netmap(4) mode was released around January this year. We trust them to do good work. :)
We've found a at least two things that don't work as expected, but they apply to FreeBSD as a whole and can be partially worked around. Any other solution based on FreeBSD will run into these issues as well if we cannot address them upstream:
1. em(4) driver has corner cases where netmap(4) mode is unstable. Can be worked around with the intel-em-kmod package or our os-intel-em plugin in OPNsense itself:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212828
2. PPPoE with netmap(4) either partially works or doesn't work at all. Traffic gets passed, but is not visible to Suricata. We're currently tracking this via:
https://redmine.openinfosecfoundation.org/issues/1925
As far as ET-Open rulesets and others go, they are selectable from the GUI. For custom rulesets, files cannot be imported via the GUI, they have to be added via SSH into the respective directory in order to be activated by the service.
Hope that helps.
Cheers,
Franco
Redyr:
Wow, that's the best explanation I had in years. I have this for my hardware http://global.shuttle.com/main/productsSpec?productId=2007
I have that other project installed on it, and both NICs are Intel, but in there are 2 different drivers, one is igb(4) and the other is em(4). If I switch inline mode to igb(4) NIC all is well, but if I try to switch to inline mode for em(4), after a few seconds the internet connection dies, and I cannot access my box anymore. Note that this happens on pfsense, and the only way to recover is the restore a backup restore point.
Actually I'm interested if Suricata 3.1.2 is working in Inline mode, not 3.0, and tell me more about intel-em-kmod package or OPNsense os-intel-em, or be so kind and point me to the right thread, if this was discussed before, I don't want to waste your time. Thanks
P.S. Actually I saw this thread https://forum.opnsense.org/index.php?topic=3630 , so I should understand that because of some bugs in FreeBsd netmap it's not working, or can I use those workarounds you mentioned?
franco:
Hi Redyr,
Yes, that sounds like the em(4) issue. Can you dump the following console command for us:
# pciconf -lv em0
It shows the chipset and other information.
In FreeBSD 11.0, there is a patch to make netmap(4) a bit more stable on FreeBSD 11.0:
https://github.com/freebsd/freebsd/commit/7f641c57ed9
But in OPNsense we had to revert another change that came in during 10.2 -> 10.3, which made the mode unstable for a small amount of chipsets, unfortunately chipsets for embedded devices:
https://github.com/opnsense/src/commit/11586afbb7
Since this also applies to 11.0, we searched to replace the em(4) driver, and found that Intel offers a vanilla base driver for FreeBSD, which can be plugged into the system without the need to recompile the kernel. This is now the "intel-em-kmod" package in the FreeBSD ports. The "os-intel-em" plugin we have is just a wrapper around this so you don't have to do the manual configuration in /boot/loader.conf.
Using that driver should also help you get better results in pfSense, yes.
The basic question is why you would think 3.1.2 works any different, I mean yes, Suricata code changed, but the underlying FreeBSD framework did not, and that's where the the issues I mentioned happen.
The original 16.7 upgrade issues thread mentioned this: https://forum.opnsense.org/index.php?topic=3430.0
Note that this happened when we switched from 16.1 to 16.7, which was FreeBSD 10.2 to 10.3 underneath.
Cheers,
Franco
Redyr:
I thought that by fixing this bug #1844: netmap: IPS mode doesn’t set 2nd iface in promisc mode (from suricata 3.1.1 changelog) will fix the em(0) issue. Also alot of bugs were fixed also. So something must work better.
Also I saw that you work with free-bsd on suricata ports from here https://www.freshports.org/security/suricata/, and I thought that you did some code fix for BSD plus the New Suricata code, I thought it will be a winning pair, at least maybe it would work better in comparison with what pfSense has. This was my idea.
I didn't know who you were, but sometimes negative publicity is good in a way ( I meant that Chris mentioned a "Franco" from OPNsense, then I knew in which direction to look). Then I opened OPNsense page looked at the changelogs, and I saw the progress on Suricata, meaning 3.1.2 was implemented.
In comparison to the project that I use, I see at least that here you and others are trying to solve Suricata issues, which is important to me. My question in short is, I'm interested to switch to OPNsense, can I enable Suricata Inline mode on both of my NICs, and if the other issues are fixed. I'm not asking you for an ETA, but I want to ask when should I switch in order to not have problems? Should I wait for OPNsense next release in january? I mean I'm willing to wait, in order to not be dissapointed like I am with pfSense.
As requested this is the dump from console (pfsense latest production version) :
[2.3.2-RELEASE][root@prod.test]/root: pciconf -lv em0
em0@pci0:0:31:6: class=0x020000 card=0x00008086 chip=0x15b78086 rev=0x31 hdr=0x00
vendor = 'Intel Corporation'
device = 'Ethernet Connection (2) I219-LM'
class = network
subclass = ethernet
Thanks
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version