[Suricata] IPS inside LAN; Changing Home Networks results in no/missing alerts

[chropnsense]

Hi,

I have Suricata enabled on two LAN interfaces;
eth1: 192.168.1.0/24
eth2: 192.168.100.0/24

I'm only running IDS/IPS on LAN interfaces eth1 and eth2 (not monitoring wan since I have everything incoming blocked).

I'm running all nmap scans below from 192.168.1.156 with gateway 192.168.1.1 mask /24

[CASE-1]
- Home networks = 192.168.1.0/16
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

[CASE-2]
- I have "Home networks" configured as 192.168.1.0/24
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

[CASE-3]
- I have "Home networks" configured as 10.0.0.0/24
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

In Log file when I do a IPS restart, I can see the following:

Code Select Expand


2024-01-16T11:07:53 Notice suricata [100103] <Notice> -- all 16 packet processing threads, 4 management threads initialized, engine started.
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2023313 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.WebDAVURL' is checked but not set. Checked in 2049320 and 2 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.generictelegram' is checked but not set. Checked in 2045614 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.tcpraw.png' is checked but not set. Checked in 2035477 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024242 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
2024-01-16T11:06:52 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "tls", enabling metadata.app-layer
2024-01-16T11:06:52 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "http", enabling metadata.app-layer
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:51 Notice suricata [143203] <Notice> -- This is Suricata version 6.0.15 RELEASE running in SYSTEM mode
2024-01-16T11:06:47 Notice suricata [100103] <Notice> -- Signal Received. Stopping engine.

The following rules are enabled (alert or block -mode)

Code Select Expand


2029985 drop emerging-exploit.rules attempted-admin ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan    
2000537 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 2048    
2000536 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sO    
2000538 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sA (1)    
2000540 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sA (2)    
2000543 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sF    
2000544 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sN    
2000546 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sX    
2100469 alert emerging-scan.rules attempted-recon GPL SCAN PING NMAP    
2100628 alert emerging-scan.rules attempted-recon GPL SCAN nmap TCP    
2101228 alert emerging-scan.rules attempted-recon GPL SCAN nmap XMAS    
2100629 alert emerging-scan.rules attempted-recon GPL SCAN nmap fingerprint attempt    
2009582 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 1024    
2009583 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 3072    
2009584 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 4096    
2018317 drop emerging-scan.rules attempted-recon ET SCAN NMAP SIP Version Detect OPTIONS Scan    
2018318 drop emerging-scan.rules attempted-recon ET SCAN NMAP SIP Version Detection Script Activity    
2000545 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sV    
2018489 drop emerging-scan.rules attempted-recon ET SCAN NMAP OS Detection Probe    
2013778 drop emerging-scan.rules web-application-attack ET SCAN NMAP SQL Spider Scan    
2009358 drop emerging-scan.rules web-application-attack ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)    
2009359 drop emerging-scan.rules web-application-attack ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)    
2024364 drop emerging-scan.rules web-application-attack ET SCAN Possible Nmap User-Agent Observed    
2021024 drop emerging-scan.rules attempted-recon ET SCAN Nmap NSE Heartbleed Response    
2021023 drop emerging-scan.rules attempted-recon ET SCAN Nmap NSE Heartbleed Request    
2036252 drop emerging-scan.rules network-scan ET SCAN RDP Connection Attempt from Nmap




Systeminfo

Code Select Expand


OPNsense 23.7.11-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
CPU type: Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores, 4 threads)
CPU usage: Load average 1.52, 1.25, 1.23

EDIT:

[CASE-4]
- I have "Home networks" configured as 192.168.1.1/32
- IPS mode = enabled
- Promiscuous mode = disabled/enabled (same result)
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.1, I get alerts/blocked in "Alerts"  tab logged.

Code Select Expand


2024-01-16T11:26:10.613038+0200 2010936 blocked LAN 192.168.1.156 49622 192.168.1.1 1521 ET SCAN Suspicious inbound to Oracle SQL port 1521
2024-01-16T11:26:10.613038+0200 2010936 blocked LAN 192.168.1.156 49622 192.168.1.1 1521 ET SCAN Suspicious inbound to Oracle SQL port 1521
2024-01-16T11:26:10.275462+0200 2002910 blocked LAN 192.168.1.156 49622 192.168.1.1 5801 ET SCAN Potential VNC Scan 5800-5820
2024-01-16T11:26:10.178190+0200 2002911 blocked LAN 192.168.1.156 49622 192.168.1.1 5906 ET SCAN Potential VNC Scan 5900-5920
2024-01-16T11:26:10.163759+0200 2002910 blocked LAN 192.168.1.156 49621 192.168.1.1 5801 ET SCAN Potential VNC Scan 5800-5820


[chropnsense]

Hi,

If anyone could point me in the right direction how-to setup IDS/IPS properly on OpnSense, it would make my day. I still can not understand how I can not get IDS/IPS detections to alert or block consistently.

Thanks!

EDIT:

Just to be clear, IPS is working on WAN if I enable it also on WAN interface and add my WAN IP to Home networks. Feels kind of pointless to run IPS on WAN since I already block everything with firewall rules. On the LAN though, I would be interested in if anyone is doing shady stuff.

Code Select Expand


2024-01-19T11:36:09.999708+0200 2009582 allowed WAN xxx.148.72.192 47613 91.155.xxx 3389 ET SCAN NMAP -sS window 1024
2024-01-19T11:36:02.220004+0200 2500010 allowed WAN xxx.19.24.23 53734 91.155.xxx 8080 ET COMPROMISED Known Compromised or Hostile Host Traffic group 6
2024-01-19T11:34:47.667573+0200 2009582 allowed WAN xxx.94.95.226 56852 91.155.xxx 8080 ET SCAN NMAP -sS window 1024
2024-01-19T11:33:40.068103+0200 2009582 allowed WAN xxx.94.95.226 56808 91.155.xxx 8443 ET SCAN NMAP -sS window 1024
2024-01-19T11:33:40.068103+0200 2400003 allowed WAN xxx.94.95.226 56808 91.155.xxx 8443 ET DROP Spamhaus DROP Listed Traffic Inbound group 4


[chropnsense]

Alright, a bit of discussion with myself here but perhaps if someone else stumbles upon this same "issue".

It seems, that this has nothing todo with OpnSense or Suricata in anyway but more how the loaded nmap rules are configured to react upon payload.

Code Select Expand

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)


So - the keyword here is the object $EXTERNAL_NET and flow of the traffic to $HOME_NET. That is; this particular rule will only trigger if the flow is from WAN to LAN (or WAN if you have WAN defined as your Home Network).

Interesting though, that this rule was triggered when I had Home Network as 192.168.1.1/32 but not 192.168.1.1/24. Perhaps also a bit stupid that the traffic flow is "hard coded" into the rule but different discussion and can not complain since it is free. It would make more sense to have IDS/IPS based on firewall rules (i.e. apply this IPS profile to this rule).

There are probably a lot of rules working as the one above, which kind of defeats the purpose of IPS if one is already blocking everything incoming.

Has anyone tackled this with somehow and if yes - how? Do you have manual rules somehow and replace $EXTERNAL_NET with $HOME_NET?

[Patrick M. Hausen]

I am not running either in production but from what I read Suricata is more tailored to protecting from attacks from outside, e.g. publicly reachable servers, and Zenarmor to catch malicious traffic originating on the inside.

[chropnsense]

Hi,

Thanks for Your reply!

I have heard about zenarmor, perhaps I need to give it a spin.

Thanks!

EDIT: Zenarmor seems like an alternative to Unbound DNS or Adguard, not really what I was looking for.