24.1 IDS breaks internet

Started by Frickey, January 30, 2024, 04:50:01 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
January 30, 2024, 10:15:26 PM #15
I've spread this message out over our communication channels:

Suricata 7 appears to have severe issues with Netmap mode, alerting is likely affected. We'll be reverting back to Suricata 6 tomorrow and recommend disabling IPS mode on 24.1 for now. Best done prior to executing the upgrade!


Cheers,
Franco
January 31, 2024, 12:09:16 AM #16
I have the same issue after upgrading to 24.1.   Disable all is okay.
Sparkey
January 31, 2024, 12:52:15 AM #17
Same issue with me.

Disabling IDS OPNsense started working again. Hope a fix is developed soon.
January 31, 2024, 01:17:51 AM #18
Same here, had to disable it.

Going out on a limb here franco, sorry, I know you are the maintainer of the package, is it compiled with --enable-netmap?

I don't see it in Makefile of the master branch.

https://docs.suricata.io/en/suricata-7.0.2/capture-hardware/netmap.html

"To build Suricata with NETMAP, add --enable-netmap to the configure line. The location of the NETMAP includes (/usr/src/sys/net/) does not have to be specified."
January 31, 2024, 03:25:47 AM #19
The fix worked for me with no issues but only after rebooting.

Quote from: seed on January 30, 2024, 07:42:46 PM
Quote from: seed on January 30, 2024, 06:46:34 PM
Quote from: seed on January 30, 2024, 06:36:47 PM
I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code Select
stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes

to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.


Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.
January 31, 2024, 04:01:28 AM #20
Thank you for pointing out this issue! Just wasted the last hour ripping apart my config and disabling every setting except IDS....
January 31, 2024, 06:41:55 AM #21
Same Here will be waiting for fix and checking on forum. Gonna do testing and make sure it is fixed with update then revert to snapshot before update and redo update when fixed to ensure everything goes smooth with updating to 24.
January 31, 2024, 07:34:38 AM #22
I've tried the solution mentioned in this thread, this doesn't resolve the issue.

Only working solution is to disable IPS option, Intrustion detection can remain Enabled (basically you know if something got in, but you didn't block it)

Tried the following without luck
- ET removal = nok
- removing all rules = nok
- reinstalling suricata = nok
- delayed start = nok
- removed internet WAN from blocking = nok (so IPS was only working on server WAN ip, all client internet traffic was unblocked/monitored)
- the fix mentioned in this thread

a hotfix with a downgrade, back to Suricata 6 seems the way to go.
Go TEAM OPNsense!

January 31, 2024, 09:23:13 AM #23
I have two boxes running nearly the same config. IPS is enabled on both boxes.
One are suffering from this issue and the other one is running fine. Both are based on Intel.
Intel i7-8550U - Intel I211 - RAM 16GB - NVMe 120Gb
Intel i7-5550U - Intel I211 - RAM 8GB - NVMe 50Gb
January 31, 2024, 12:54:40 PM #24
Meanwhile Suricata has been rolled back from 7 to 6 anyway. Making broad statements with ambiguous context doesn't help.


Cheers,
Franco
January 31, 2024, 01:14:14 PM #25 Last Edit: January 31, 2024, 01:20:26 PM by seed
I hope it isn't postponed to somewhere in six months. Without any logs on hand it seems difficult to open a bugreport in the suricata github.

Edit: i meant the release of suricata 7. not the release of the rollback.
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
January 31, 2024, 01:16:41 PM #26
Version 24.1_1 fixed IPS once I did a reboot. Thank you for the rollback
January 31, 2024, 02:59:04 PM #27
@seedL: the development version still has Suricata 7. It has had it for a year now. Reports and problems have been very sparse so far. Actually, we don't know if it got worse somwhere between 7 RC1 where we started testing it, but it's not an immediate priority after the rollback. We will pick this up next week and see.


Cheers,
Franco
January 31, 2024, 04:50:42 PM #28
Quote from: franco on January 31, 2024, 12:54:40 PM
Meanwhile Suricata has been rolled back from 7 to 6 anyway.

I never had Suricata installed, but it seems that 24.1_1 forced the package to install. Was this intended behavior?
January 31, 2024, 05:05:30 PM #29
Quote from: sdjme on January 31, 2024, 04:50:42 PM
I never had Suricata installed, but it seems that 24.1_1 forced the package to install. Was this intended behavior?

Suricata is there as part of the base install.  Services > Intrusion Detection.
Print
Go Up Pages 1 2 3
User actions