Windows Updates

[elektroinside]

One (or more) of the Suricata rules brakes Windows Updates, but I am unable to find which one since there are no "blocked" alerts in the GUI.

Is there some other way to find out?

[elektroinside]

Found some logs in /var/log but it looks like a mirror of the GUI/Alerts..

[elektroinside]

Also, on some machines wua seems to work, some partially work, some don't.
When i say it breaks wua, i mean "check for updates" is returning an error and no other results.

Temporarily disabling IDS/IPS immediately fixes the issue on all machines.

[bartjsmit]

What about wsus?

Bart...

[elektroinside]

I don't have a wsus server at home
But after 18.1 stable is out and after some testing, I'm seriously considering to migrate one of my clients to opnsense, where i do have wsus and also a pretty big AD.

I'm still yet to find out what is causing this behavior. At home, i have only 12 clients, but randomly some are failing to even check for updates.

I'll investigate more these days and report back 

[dcol]

Funny you should see any issues since all the rules are set to alert by default.
Did you change any rules to drop?

Also, try turning off IPS and then try the updates and look at the alerts it generates.
I may be incorrect, but I think that when using IPS, drops are not logged. They are dropped.

[elektroinside]

All my rules are set to drop (all except the ones i don't want to drop)...
Blocked rules are logged, this is how i usually allow the ones i don't want to drop.

I also noticed that it has some difficulties with RDP as well. I can sometimes connect to clients very fast, sometimes not at all. No dropped alerts for these either.

Disabling IPS fixes this every time..

[dcol]

If you leave IDS on and just disable IPS, then you may see the drops in the logs that are causing the issues. Then you can disable those.

Having all your rules set to drop will cause lock ups now and then. I think that is why OPNsense sets all rules to alert by default.

What would be nice is to find a list of 'Must Have' drop rules. Would make a great sticky topic.

[elektroinside]

That's strange, IDS alone doesn't block, i've been using suricata for quite some time now, true, always with IPS, not necessarily with OPNsense, but i don't remember having this issue and i don't remember IDS blocking anything without IPS.

If this is true, how can it log blocked traffic if it doesn't block?

Please note that when i said that all my rules are set to block, i did it from the GUI, from the download tab, which doesn't set all the rules to drop (most of them, but not all). And i only get this behavior with Windows Updates and RDP (so far). Everything else i customized and unblocked works perfectly.

[dcol]

For the items that are still being blocked, you still have some drop rules that need to be disabled.
My suggestion was to just stop IPS while leaving IDS enabled then setup a test where you can cause the block then look at the alerts to see which drop rules are being invoked.

My assumption is that you are not seeing the drops in the logs because IPS is on and the packets are dropped before they are logged. I have seen this happen where something is blocked by IPS and there are no drop log entries.

[elektroinside]

Ok, i'll try & report back. Thank you!

[dcol]

By the way, I found 3 rules that affect Windows updates
Here are the sids
1:2221000 # SURICATA HTTP unknown error
1:2221021 # SURICATA HTTP response header invalid
1:2221028 # SURICATA HTTP Host header invalid

[elektroinside]

Yes, i too found these somewhere on the internet and learned that they brake wu. Already set them to 'alert', although didn't have actually alerts from these rules.

Also tried without IPS (attached Screenshot_6.png) and eventually without IDS at all (Screenshot_7.png).

Without IPS, i only had some geoip alerts i have set, absolutely nothing else..

After a few retries (10+), it will work eventually even with IDS/IPS. RDP works almost every time, but without IDS/IPS connections are almost instant, no delays whatsoever. With, i have to wait ~15-20secs to connect, almost times out. RDP as long as it works is fine, even with delays, but windows updates fail most of the time, with an error that suggests something is blocking it. But why is it working after many many retries? Strange...

[dcol]

I just found something that may be helpful. I tried to do an update on a Windows 2016 server and it just hung. No alerts and no indication on why. Then I remembered something from long ago. That computer had the Windows Firewall service disabled. As soon as I enabled it, the updates started. I do have the Firewall State off for Private and Public networks in the Firewall setting page. So, even though the firewall is set to off, you still have to have the service running to get Windows Updates.

try that.

[elektroinside]

Thank you, but i don't think this is my case, my firewalls are always up. I'm a security freak (more or less), my job is security related, i would never turn off my firewalls I even sandbox a lot of stuff on my main PCs, virtualize and use various containers to protect stuff.
Also, turning off wf is a very bad idea generally, lots of services will not work (as a rule) in windows without it. Strange thing is that windows logs contain errors usually related to connectivity, certificates, NTP while running wu. I'll dig deeper in the upcoming days...

I really think this is IDS/IPS related, no matter how much i would like it not to be. There are a few bugs related to ids/ips in the repository, who knows, something there might be my issue. It's not the end of the world, but i have to find out what exactly is the problem, as i intend to migrate my clients to opnsense soon. I will start disabling rulesets, narrow things down..