IDS questions

Started by dcol, October 14, 2016, 01:34:50 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 24, 2016, 10:38:07 AM #15
I formerly hoped that opnsense together with suricata will be a good replacement for our boxes (APU) running with pfsense/snort

But until now no working Suricata in IPS mode on this boxes. They have the Realtek networking cards.

IPS in opnsense / suricata no work  --> in pfsense/snort perfect ????

Will there be any hope and chance for running stable opnsense/suricata on this APU boxes?
October 24, 2016, 04:39:14 PM #16
Hi zash,

Realtek NICs are unstable for IPS/netmap mode. It's not fixable.

Note that there is no true IPS mode for snort, it's using a lazy-block list via filter that can leave your data leaked on the first incident anyway. ;)

All in all, I think options for true IPS in FreeBSD are just that: Intel chips.


Cheers,
Franco
October 24, 2016, 04:50:48 PM #17
OK, I understand.

That means that we got no running opnsense/suricata on all PcEngines APU boxes without Intel NIC's :-(
October 24, 2016, 05:00:26 PM #18
There ought to be an emulation mode that may yield better results and supposedly works with all drivers. I haven't looked into it, but it would be interesting to see if it can be used instead of the real driver bindings (in case of Realtek anyway). Performance is a lot less, but it could be workable.

At the moment I don't have any time to look into it, but I will try to see if this is a workaround option for "known bad cards". :)


Cheers,
Franco
October 28, 2016, 03:22:07 AM #19 Last Edit: October 28, 2016, 03:32:41 AM by everfree
I try opnsense 16.7.7, It's amazing. I also donate to opnsense, I hope that opnsense can be used for 10G inline mode in my production in the future.  :)

I will donate again next month.
October 28, 2016, 07:28:24 AM #20
Hi everfree,

Wow, thanks for the feedback and donation!

You should watch out for 17.1 with FreeBSD 11.0 underneath. We will have a beta version in November, an RC in January and the release just at the end of January 2017. :)


Cheers,
Franco
October 28, 2016, 07:25:47 PM #21
Look at that, netmap(4) bug fixed in FreeBSD CURRENT, expecting a swift transition to both 10 and 11.

https://github.com/freebsd/freebsd/commit/c9c991ee76

Great work by sbruno@ and luigi@ for pinning this down.

PS: Already in our repo. ;)
November 12, 2017, 11:32:01 PM #22
Been a while since I posted here. Just installed the latest OPNsense 17.7 and figured I have a new box, lets try it out. This box is a Supermicro 5018-FTN4 with an 8 core Intel Atom C2758 and i354 Quad NIC.

Setup went great with one static WAN and one LAN subnet. Seems to work fine until I enable IPS inline which kills the internet connection. Seems to work in non inline mode (IPS unchecked). Also noticed that when IPS is selected, Unbound DNS service keeps restarting. I just used all the default settings in IDS except I tried to use Hyperscan and that didn't work either.

One more note, tried Suricata inline using PFsense on this new box and it also didn't work. But the internet connection was ok, just no alerts. I also tried a known tested Intel i210T1 NIC on the WAN and it still didn't work.

Any suggestions?
Print
Go Up Pages 1 2
User actions