suricata and pppoe vlan11 tagged fiber / WAN dont work

Started by kinch, May 28, 2024, 05:37:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 28, 2024, 05:37:02 PM Last Edit: May 28, 2024, 06:06:22 PM by kinch
hi there

befor everthing was working fine.
i had an fiber wan connection which was DHCP.
Suricata was configured to look at the WAN interface and it was working, i got some alerts during the week.

bc of relocating, the ISP only offers fiber with pppoe in this area.
i reconfigured the wan (create vlan11 interface, create pppoe device with credentials, assigned pppoe interface as WAN)
opnsense got an public IP and internet working as well. this "happens" around 6 month ago.
Till then, i never got an suricata alert. so i was wondering if suricata is working properly. i tested it with eicar and nothing happend, so i dont get any alert since 6month and my testing triggered also no alert.

I then switched Promiscuous mode off after about 4 months, no change. After 2 months more still no alerts.
I suspect that Suricata cannot access the WAN interface. i think it has problems with the constellation interface->vlan->pppoe->WAN

Any idea what the problem could be, how I can troubleshoot and fix it?

what i did:
restart service
reboot
test with eicar, NOK
check ruleset (every drop/alert rules are enabled)
tested it with http://testmynids.org/uid/index.html
change pattern matcher aho <->hyper


Best Regards
May 28, 2024, 10:50:59 PM #1
I don't believe you can use Suricata on PPPoE - it is not compatible.
May 29, 2024, 06:40:40 AM #2
Also NAT and intrusion detection systems are no friends.
May 29, 2024, 09:34:03 PM #3
Quote from: Taunt9930 on May 28, 2024, 10:50:59 PM
I don't believe you can use Suricata on PPPoE - it is not compatible.

why not, suricata does not see pppoe header i think
May 29, 2024, 09:35:14 PM #4
Quote from: bestboy on May 29, 2024, 06:40:40 AM
Also NAT and intrusion detection systems are no friends.

?? what has suricata todo with NAT?
May 30, 2024, 09:38:29 AM #5 Last Edit: May 30, 2024, 09:44:48 AM by bestboy
Intrusion detection systems need to track the flows. If you do address translation then sources or targets of flows are rewritten. The original flow is terminated and replaced. Intrusion detection systems typically only see one leg of the entire communication. Either the original flow leg or the replaced, new flow leg. But in either case they keep on missing half of what's going on.
Feel free to read the documentation for details. It's all there right in the "Choosing an interface" chapter: https://docs.opnsense.org/manual/ips.html#choosing-an-interface".

PS: There is a reason why many admins hate NAT. You have to jump a lot of hoops and deal with heaps of BS just to keep using the old IPv4 address.
May 30, 2024, 10:49:04 AM #6
Quote from: bestboy on May 30, 2024, 09:38:29 AM
Intrusion detection systems need to track the flows. If you do address translation then sources or targets of flows are rewritten. The original flow is terminated and replaced. Intrusion detection systems typically only see one leg of the entire communication. Either the original flow leg or the replaced, new flow leg. But in either case they keep on missing half of what's going on.
Feel free to read the documentation for details. It's all there right in the "Choosing an interface" chapter: https://docs.opnsense.org/manual/ips.html#choosing-an-interface".

PS: There is a reason why many admins hate NAT. You have to jump a lot of hoops and deal with heaps of BS just to keep using the old IPv4 address.

ok of course, but it does not matter in this szenario, bc suricata does not work and it worked back in the days when the interface was DHCP-WAN and not PPPOE-WAN.

Best Regards
June 03, 2024, 08:44:56 AM #7
anyone successfully using suricata on a PPPOE WAN?

Best Regards
June 22, 2024, 01:27:36 AM #8
seems like it is not working and not supported by suricata / netmap

https://forum.opnsense.org/index.php?topic=31587.0
Print
Go Up Pages1
User actions