Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS questions
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: IDS questions (Read 25989 times)
dcol
Hero Member
Posts: 635
Karma: 51
IDS questions
«
on:
October 14, 2016, 01:34:50 am »
Can I use my custom rules in Intrusion Detection? I have a few Snort/Suricata rules I wrote that I need to add.
Also, is 'IPS Mode' the same as inline mode. If not, how do I turn on inline mode, or is that on by default?
I am looking to switch over from PFsense because they are dragging their feet on IPS/IDS inline mode.
Thanks in advance.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #1 on:
October 14, 2016, 09:34:36 am »
Hi there,
Inline mode is just a flip of a switch..
enable IDS
enable IPS mode
We do have very light custom-rules support from the GUI, but nothing that would fit your ruleset for sure (there's only GeoIP and Fingerprinting in there). An automatic rule-inclusion for a flat file on the disk would probably more suitable for you? Something similar is already done by the proxy server configuration.
If that sounds alright we ask all features to be requested on GitHub by the users themselves for questions, ping-backs, testing and polishing features. It makes for a better result. :)
https://github.com/opnsense/core/issues
Cheers,
Franco
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: IDS questions
«
Reply #2 on:
October 14, 2016, 10:38:51 pm »
Thanks, I submitted a feature request on GitHub for custom rules.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #3 on:
October 17, 2016, 11:33:38 pm »
I see this was picked up. We're currently debating whether or not dropping rules into the existing directory is enough or if we need a custom file hook.
https://github.com/opnsense/core/issues/1219
https://github.com/opnsense/core/pull/1222
Files do need to be copied via SSH/SFTP in any case, but that's easily automated as a plus.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #4 on:
October 18, 2016, 11:22:35 pm »
Pull request was closed, so the official way is to push additional rule files to: /usr/local/etc/suricata/rules/
Logged
Redyr
Newbie
Posts: 5
Karma: 0
Re: IDS questions
«
Reply #5 on:
October 19, 2016, 09:53:34 pm »
Quote from: dcol on October 14, 2016, 10:38:51 pm
Thanks, I submitted a feature request on GitHub for custom rules.
Hello @dcol,
Sorry to write you here, but on that other forum I can't write anymore. I read @jwt's response, that ultimatelly Suricata is not a concern for pfSense. Did you tried Suricata on OPNsense, is it working, I mean the inline mode? Also I did not understand what Franco said about importing the rules? Can we import rules from pfsense easilly if I switch to OPNsense?
Thanks
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #6 on:
October 19, 2016, 10:11:02 pm »
Hi Redyr,
In practice Suricata inline mode works well in most combinations. After all, Suricata 3.0 with netmap(4) mode was released around January this year. We trust them to do good work.
We've found a at least two things that don't work as expected, but they apply to FreeBSD as a whole and can be partially worked around. Any other solution based on FreeBSD will run into these issues as well if we cannot address them upstream:
1. em(4) driver has corner cases where netmap(4) mode is unstable. Can be worked around with the intel-em-kmod package or our os-intel-em plugin in OPNsense itself:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212828
2. PPPoE with netmap(4) either partially works or doesn't work at all. Traffic gets passed, but is not visible to Suricata. We're currently tracking this via:
https://redmine.openinfosecfoundation.org/issues/1925
As far as ET-Open rulesets and others go, they are selectable from the GUI. For custom rulesets, files cannot be imported via the GUI, they have to be added via SSH into the respective directory in order to be activated by the service.
Hope that helps.
Cheers,
Franco
Logged
Redyr
Newbie
Posts: 5
Karma: 0
Re: IDS questions
«
Reply #7 on:
October 20, 2016, 02:22:51 am »
Wow, that's the best explanation I had in years. I have this for my hardware
http://global.shuttle.com/main/productsSpec?productId=2007
I have that other project installed on it, and both NICs are Intel, but in there are 2 different drivers, one is igb(4) and the other is em(4). If I switch inline mode to igb(4) NIC all is well, but if I try to switch to inline mode for em(4), after a few seconds the internet connection dies, and I cannot access my box anymore. Note that this happens on pfsense, and the only way to recover is the restore a backup restore point.
Actually I'm interested if Suricata 3.1.2 is working in Inline mode, not 3.0, and tell me more about intel-em-kmod package or OPNsense os-intel-em, or be so kind and point me to the right thread, if this was discussed before, I don't want to waste your time. Thanks
P.S. Actually I saw this thread
https://forum.opnsense.org/index.php?topic=3630
, so I should understand that because of some bugs in FreeBsd netmap it's not working, or can I use those workarounds you mentioned?
«
Last Edit: October 20, 2016, 02:27:47 am by Redyr
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #8 on:
October 20, 2016, 07:52:02 am »
Hi Redyr,
Yes, that sounds like the em(4) issue. Can you dump the following console command for us:
# pciconf -lv em0
It shows the chipset and other information.
In FreeBSD 11.0, there is a patch to make netmap(4) a bit more stable on FreeBSD 11.0:
https://github.com/freebsd/freebsd/commit/7f641c57ed9
But in OPNsense we had to revert another change that came in during 10.2 -> 10.3, which made the mode unstable for a small amount of chipsets, unfortunately chipsets for embedded devices:
https://github.com/opnsense/src/commit/11586afbb7
Since this also applies to 11.0, we searched to replace the em(4) driver, and found that Intel offers a vanilla base driver for FreeBSD, which can be plugged into the system without the need to recompile the kernel. This is now the "intel-em-kmod" package in the FreeBSD ports. The "os-intel-em" plugin we have is just a wrapper around this so you don't have to do the manual configuration in /boot/loader.conf.
Using that driver should also help you get better results in pfSense, yes.
The basic question is why you would think 3.1.2 works any different, I mean yes, Suricata code changed, but the underlying FreeBSD framework did not, and that's where the the issues I mentioned happen.
The original 16.7 upgrade issues thread mentioned this:
https://forum.opnsense.org/index.php?topic=3430.0
Note that this happened when we switched from 16.1 to 16.7, which was FreeBSD 10.2 to 10.3 underneath.
Cheers,
Franco
Logged
Redyr
Newbie
Posts: 5
Karma: 0
Re: IDS questions
«
Reply #9 on:
October 20, 2016, 11:57:56 am »
I thought that by fixing this bug #1844: netmap: IPS mode doesn’t set 2nd iface in promisc mode (from suricata 3.1.1 changelog) will fix the em(0) issue. Also alot of bugs were fixed also. So something must work better.
Also I saw that you work with free-bsd on suricata ports from here
https://www.freshports.org/security/suricata/
, and I thought that you did some code fix for BSD plus the New Suricata code, I thought it will be a winning pair, at least maybe it would work better in comparison with what pfSense has. This was my idea.
I didn't know who you were, but sometimes negative publicity is good in a way ( I meant that Chris mentioned a "Franco" from OPNsense, then I knew in which direction to look). Then I opened OPNsense page looked at the changelogs, and I saw the progress on Suricata, meaning 3.1.2 was implemented.
In comparison to the project that I use, I see at least that here you and others are trying to solve Suricata issues, which is important to me. My question in short is, I'm interested to switch to OPNsense, can I enable Suricata Inline mode on both of my NICs, and if the other issues are fixed. I'm not asking you for an ETA, but I want to ask when should I switch in order to not have problems? Should I wait for OPNsense next release in january? I mean I'm willing to wait, in order to not be dissapointed like I am with pfSense.
As requested this is the dump from console (pfsense latest production version) :
[2.3.2-RELEASE][root@prod.test]/root: pciconf -lv em0
em0@pci0:0:31:6: class=0x020000 card=0x00008086 chip=0x15b78086 rev=0x31 hdr=0x00
vendor = 'Intel Corporation'
device = 'Ethernet Connection (2) I219-LM'
class = network
subclass = ethernet
Thanks
«
Last Edit: October 20, 2016, 04:53:25 pm by Redyr
»
Logged
everfree
Newbie
Posts: 15
Karma: 0
Re: IDS questions
«
Reply #10 on:
October 20, 2016, 04:15:21 pm »
Hi!
I use bridge mode (Intel 10G ix0/ix1) in pfSense, inline mode is also not working and crash. At the same time, I use ET RPO rules and syslog(alert) forward. If opnsense can made that stable in the future, I am very glad to use opnsense and request commercial-support.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #11 on:
October 21, 2016, 10:21:53 am »
Hi everfree,
o I honestly don't know anything about ix issues. It may be a driver issue. What kind of crashes are we talking about?
o We do not have a bridge mode from NIC to NIC: we use the full inline mode that you can use in conjunction with all firewall functionality.
o ET Pro rules can be integrated with the addition of a rules file description.
o Syslog support was recently added, but still needs to be added to the forwarding server settings. I expect this to land in 16.7.x the upcoming weeks.
Cheers,
Franco
Logged
everfree
Newbie
Posts: 15
Karma: 0
Re: IDS questions
«
Reply #12 on:
October 21, 2016, 12:04:29 pm »
Hi franco,
o Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
o I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
o Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
o Syslog support was recently added, It's good news.
I have not test opnsense in my productions before, Maybe I can try.
Thanks!
«
Last Edit: October 22, 2016, 10:30:10 am by everfree
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: IDS questions
«
Reply #13 on:
October 23, 2016, 05:32:37 pm »
Hi everfree,
> Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
That looks like a driver lockup. I do not think it's fixed, but we could always try the stock intel driver if you want.
> I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
Ok, so you have a LAN and WAN? In that case, IPS is simply enabled on WAN and you have the setup you want.
> Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
Yes, we need to help with the rule description file that needs to be created, Ad recently added a new one, this is really all that's needed dropped into the correct directory:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
> Syslog support was recently added, It's good news.
Still need to work on the remote end as I said, but yes, progress.
If you find the time to spin up a test system I'd recommend it. The reliability of Suricata in IPS depends on the quality of the hardware as well. E.g. for Realtek NICs we've given up all hope. And RAM should be plenty, some users reported failures due to Suricata not having enough memory.
Cheers,
Franco
Logged
everfree
Newbie
Posts: 15
Karma: 0
Re: IDS questions
«
Reply #14 on:
October 24, 2016, 04:44:28 am »
Yes, I'm looking forward to Opnsense development.
For IPS on Intel 10G, I'm expecting that day's coming!
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS questions