POLL: IPS

[Ciprian]

Hello everyone!

I have the exact same problem, I don't see any blocked alert in the web interface.
Did you make some progress on the issue?

Thank you!

[AdSchellevis]

With the risk of repeating myself, have you tried to install our test pattern and downloading the eicar test virus?
If the test rule functions, it's highly unlikely the other installed rules won't (the IRC rules from ET are also quite practical for testing purposes when there's IRC traffic).

[Ciprian]

With the risk of repeating myself, have you tried to install our test pattern and downloading the eicar test virus?
If the test rule functions, it's highly unlikely the other installed rules won't (the IRC rules from ET are also quite practical for testing purposes when there's IRC traffic).

Yeap! 

Sorry for not mentioning it right before!

Test scenario: clicked the link on eicar => loading forever, checked the alerts on opnsense, eicar alert present with block

[csmall]

I don't know what the problem is with ET rules in opnsense but they do not work right.

Or maybe pfsense with suricata and et rules is just full of tons of false positives all day and night.

And ipfire with snort and ET rules triggering the same rules.

I wish it worked in Opnsense, it is my only problem with opnsense. Everything else is so awesome.

The test opnsense rules work for me with the test virus, I managed to trigger 1 ET rules 1 time, the Chat one when accessing an IRC channel. Other than that, nada, crickets... just the built in suricata rules trigger.

[AdSchellevis]

Well as mentioned before, at our end all is working without issues, an occasional "ET POLICY Outbound Multiple Non-SMTP Server Emails" message on one of my test machines here also proving to me that ET rules do match.

@csmall, this is probably the last message I'm going to post here, I've requested concrete examples on multiple occasions and received none sofar. The engine works, if there's a difference in setup it would be very easy to find  if we had concrete examples of rules to inspect.

[csmall]

I hear ya. I'm not the only one though. It isn't easy for me to install pfsense just to troubleshoot and switch back.

Don't take my posts as any sort of negative attack or anything like that. I love opnsense. The idps just doesn't appear to work properly/entirely for me and others.

I worked with Franco privately to try and discover differences between the configurations of pfsense and opnsense suricata implementations but the differences didn't jump out at him as anything that would be causing my issues.

Maybe it is working and just not reporting to the web interface or something? Others seem to experience the same problem.

I see the built in suricata rules show up in eve.json (I'm not sure if this is the correct place to watch for triggering of et rules or not)

When I see others post that they too experience what I am I feel like I should chime in as it is relevant.

Is there anything I can do other than install pfsense to try and help figure this out?

[AdSchellevis]

It's highly unlikely that the eve-log output in suricata is broken, but like stated before, there's really no way to help when there's no data to inspect.

It could very well be that another product installed some other rules which are more trigger friendly, but without knowing what is triggered for what reason on any other product there's really no way to tell if it's setup or something else.

Also an option is that another product is not only logging alerts, but other events as well, more information about the options of suricata can be found on their website http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html
Originally we had more logging enabled (https://github.com/opnsense/core/blob/0cd3480d94e48cc80604ee825ff6cf43d618f542/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml#L86-L109), which we disabled later to avoid confusion.
In case you want to see more output, just test with all logging options on (edit /usr/local/etc/suricata/suricata.yaml) and restart suricata (service suricata restart).... which will provide you with quite some data.

[csmall]

Thanks. I'll check into these suggestions.

Hopefully one day I see something that makes it all make sense

[csmall]

I tried enabling the same logging from that link and no change.

Someday this will all make sense lol

Could this have anything to do with me using Realtek nics?

I doubt it but who knows. I have almost every ET rule enabled at this point and no alerts. I even tried scanning myself from the outside. The ET rules most commonly triggered on my connection through other products are the compromised rules, dshield rules, scan rules and shellcode rules.

Thanks for trying AdSchellevis. If anything else comes to mind that you think I can try to troubleshoot let me know. It is just difficult for me to swap firewall software back and forth for troubleshooting.

[Ciprian]

Now I have found out that there are some triggered ET rules, with ”blocked” action, as follows:

ET POLICY iTunes User Agent
ET POLICY PE EXE or DLL Windows file download HTTP
ET CHAT Skype User-Agent detected
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.pw domain

Well, rules trigger, and block. At least, the ones above did their job.

The question present here, among replies, still persists for me:

Are these rules the only rules that should have been triggered, and for the rest of rules, the internet was only clean enough? Or maybe are there attacks that OPNsense + Suricata don't detect? Cause using MS ForeFront/ ISA, and other paid IPS like Sophos XGFW & UTM does trigger allot more alerts, and blocks them!

As for what did I do so that at least these rules to be triggered, instead of none: I only disabled IDPS, reenabled it, reenabled rALL the rulesets, rescan and redownloaded the rulesets. I consider I did nothing different then before, but maybe somehow now is a difference. Still, I am not convinced that my action of disabling and reenabling the IDPS, the rulesets etc is the corrective measure. Time will tell, I plan on extending the use of OPNsense on two more branches, and on the main building soon. I'll come back with news, if any.

[csmall]

Thanks. I'll check into these suggestions.

Hopefully one day I see something that makes it all make sense

AdSchellevis

I broke down and installed pfsense. I'm seeing lots of et rules trigger.

What can I provide you to help troubleshoot why I don't have the same experience in opnsense?

Thanks!

[AdSchellevis]

Can you post some of the alerts including details? (if you replace ip addresses, please replace them for something similar for external/internal ranges)

[csmall]

Can you post some of the alerts including details? (if you replace ip addresses, please replace them for something similar for external/internal ranges)

Sure. I really hope we can figure this out.

I also made the move from a machine with Realtek nic to one with intel em*

I'll post some examples when I get home from work tonight.

[csmall]

Can you post some of the alerts including details? (if you replace ip addresses, please replace them for something similar for external/internal ranges)

AdSchellevis,

I PM'd you some examples. There are hundreds more as they fire all day and night. The same rules are triggered in Snort when using ipfire.

I get none of these in opnsense... it is quiet as a mouse.

[zenlord]

I have enabled the IDS + IPS service on the WAN interface yesterday with the 'Aho-corasick'-patternmatcher. I then have enabled / downloaded a few rulesets, amongst which all the Abuse.ch ones, and the ET Malware, ET Mobile Malware and ET Exploit. All rulesets have been edited to 'drop' the packets. Tonight a first CRON run has been succesfully executed to download the newest versions of these rulesets.

This morning I am still able to download and open the EICAR test file and see no alert in my alerts.

I just tried it again with the opnsense-test-rules, but still nothing is blocked or alerted.

Please tell me what you need and I'll happily supply it to you.

Kr,
Vincent