POLL: IPS

[csmall]

I would like to find out who is running 17.1.2 with IPS enabled and ET rules.

Is it working?

Do you have ET rules triggered and blocked?

Do you have any other rules enabled? Are they triggered and blocked?

If it working, what hardware are you running it on? NIC's etc...


I ask because it doesn't seem to work for me and another person I know running completely different hardware (better) with a fresh install of 17.1.2 has the exact same experience. Built in suricata rules trigger and custom geoip rules trigger, but that's it. None of the downloaded (ET) rules seem to work.

A fresh install of the latest pfsense using suricata on the same hardware results in ET rules triggering and blocking as expected.

I'm trying to figure out the cause and it would help to know what others are experiencing.

Thanks.

[AdSchellevis]

Hi csmall,

The easiest way to check your setup is to enable the "OPNsense/test rules" and choose as input filter "change all alerts to block", then download and enable suricata in IPS mode.

I just tried it on my machine (virtual / parallels), and it generates an alert "OPNsense test eicar virus" (blocked) when downloading the following test file:

http://www.eicar.org/download/eicar.com.txt


Best regards,

Ad

[csmall]

Thanks.

That works fine.

ET rules do not work.
Abuse rules do not work.

Geoip rules work, the test you just suggested works, the built in suricata rules work.

Franco compared the difference in configs between my working pfsense suricata with ET rules and my opnsense config and there was minimal difference.

I even tried making the changes to match but it changed nothing.

He did mention that the logging facility configuration was different but I'm not sure how much that matters.

I'm trying to figure out why ET and abuse rules do not work for me and at least one other person I know with completely different hardware .. both of us with clean installs of 17.1.2.

Are they working for anyone?

Thanks!

[AdSchellevis]

Ok, I'm not sure how you come to the conclusion that the rules don't work, the mechanism is the same for all.

Let's do some additional testing, go to the console and execute the following commands in sequence:

Code Select Expand


service suricata stop
/usr/local/bin/suricata -D -vvvv --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
grep signatures /var/log/suricata.log


(starts suricata with more logging output.)

Mine reports something like this:

Code Select Expand


6/3/2017 -- 08:48:07 - <Info> - 1130 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 845 inspect application layer, 98 are decoder event only


[csmall]

Thanks Ad,

I say it is broken because there is no visual indication in the web GUI that there are ET or Abuse alerts being triggered/Blocked.

On pfsense using suricata with the same rules, they trigger and block all day long. Ipfire with snort and the same rules, they also trigger all day. I get 0 triggered/blocked ET rules in the opnsense web GUI.

I suppose it is possible that the rules are working and just not showing up in the GUI?

I will attempt your troubleshooting suggestion tonight and see what I get.

It is interesting to note that this is not just me. Another person  I know with completely different hardware has the exact same experience.

I was hoping to find out who actually has it working as expected and see what could be a solution or identify a larger issue if there is one.

I will report back with my findings from the troubleshooting steps.

[csmall]

Thanks Ad,

I say it is broken because there is no visual indication in the web GUI that there are ET or Abuse alerts being triggered/Blocked.

On pfsense using suricata with the same rules, they trigger and block all day long. Ipfire with snort and the same rules, they also trigger all day. I get 0 triggered/blocked ET rules in the opnsense web GUI.

I suppose it is possible that the rules are working and just not showing up in the GUI?

I will attempt your troubleshooting suggestion tonight and see what I get.

It is interesting to note that this is not just me. Another person  I know with completely different hardware has the exact same experience.

I was hoping to find out who actually has it working as expected and see what could be a solution or identify a larger issue if there is one.

I will report back with my findings from the troubleshooting steps.

My results.

6/3/2017 -- 20:56:06 - <Info> - 349 signatures processed. 75 are IP-only rules, 163 are inspecting packet payload, 171 inspect application layer, 0 are decoder event only

The rules I have enabled right now are the ones I know are constantly triggered on my connection when using pfsense or ipfire.

[AdSchellevis]

Which rules are active? does the number of signatures match the number of activated rules? and which alerts did you see before and how where they triggered?
Maybe you can dump some alerts from the other installs, the rules beneath it aren't very difficult to inspect.

[csmall]

Drop, Dshield, scan and she'll code.

Numbers seem to match.

[franco]

csmall and me have been discussing this a bit prior to this post, I looks like our reporting front end choice (eve) may not report all results. At least that's the only thing I've come up with so far. What would be helpful:

Show rules / log entries that trigger in pfSense and inspect them more closely for whether or not they can appear in the eve logs or not.

The inline IPS mode there is exactly the same in configuration, a test for matching up a few settings didn't help so far.

So this boils down to: does it trigger rules, if not why. And if yes, do we actually see the results?


Cheers,
Franco

[csmall]

Thanks Franco.

Yes this sounds reasonable because everything seems to be configured properly.

So maybe the reporting front end isn't displaying these alerts for some reason.

If I can reinstall pfsense this weekend, what would you like to see from there to help troubleshoot this issue?

What could I grab exactly that would help?

Geoip and opnsense test rules show up. Abuse and ET do not

Thanks guys! This is my only issue with opnsense at the moment.

[csmall]

Is there anyway to see in realtime what suricata is blocking or what rules are triggered in a log file?

The suricata.log file doesn't show me any detail like that.

[csmall]

Exciting news Franco!

I had an ET rule trigger and block.

I was using IRC in the opnsense channel and I thought to myself, why not turn on the ET chat rule and see what happens.

The second I turned the rule on it triggered and dropped my irc connection .

It then proceeded to trigger other irc related alerts and blocks.

That is great! I still don't understand why no other ET rules show up but this is good news.

[csmall]

I wonder if I'm noticing that the majority of ET rules are not working because I have used multiple firewalls with ET rules all in a short period of time and know what to expect because of the results being identical in both of the other firewalls.

Others may not have exposure to other software using ET and just don't realize that they are not working right.

If I hadn't used pfsense and ipfire with ET I would just think opnsense isn't seeing anything that matches ET rules and that everything was normal.

Just a thought but I'm still convinced that something is wrong regarding ET rules/suricata in opnsense and I'd love to figure out what it is and get it resolved.

[AdSchellevis]

I really don't expect there's an issue there, given the fact that there are alerts triggered for some rules.
But if you test using another install, post the alerts that got triggered as I asked before, it should be quite easy to check what the underlaying logic is.

[csmall]

I can do that but it isn't easy to keep switching firewalls ya know? Maybe I can do it this weekend.  :)