Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Can't get Intrusion Detection working.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can't get Intrusion Detection working. (Read 5511 times)
dieterarn
Newbie
Posts: 15
Karma: 0
Can't get Intrusion Detection working.
«
on:
April 05, 2018, 05:50:47 am »
I've been trying, off an on, since 16.x, to get Intrusion Detection working.
alerts don't show much activity but the the moment i turn on IPS i get a completely dead connection. have i been that seriously pwned or have i just messed up something?
I've followed the guides and disabled hardware offloading etc.
I've also disabled all the rulesets:
Description
abuse.ch/Dyre SSL IPBL not installed
abuse.ch/Feodo Tracker not installed
abuse.ch/SSL Fingerprint Blacklist not installed
abuse.ch/SSL IP Blacklist not installed
ET open/botcc not installed
ET open/botcc.portgrouped not installed
ET open/ciarmy not installed
ET open/compromised not installed
ET open/drop not installed
ET open/dshield not installed
ET open/emerging-activex not installed
still nothing...
the latest alerts say:
2018-04-04T23:25:30.465856-0400 allowed WAN ###.###.###.### ###.###.###.### 7801 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2018-04-04T23:25:27.614650-0400 allowed WAN ###.###.###.### ###.###.###.### 7801 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2018-04-04T23:25:26.016311-0400 allowed WAN###.###.###.### ###.###.###.### 7801 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2018-04-04T23:21:20.710647-0400 allowed WAN ###.###.###.### 22589 ###.###.###.### 23 SURICATA TCPv4 invalid checksum
I run opnsense as a virtual machine using to vitual bridges to connected to it. one is a dedicated physical interface for the wan and the other is the a vitual bridge to the lan. The Host is proxmox.
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Can't get Intrusion Detection working.
«
Reply #1 on:
April 05, 2018, 06:20:03 am »
Follow this tutorial and you will get your IDPS up and running:
https://forum.opnsense.org/index.php?topic=6893.0
It's not updated, but I hope you'll manage to find the options which were modified in the GUI.
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
dieterarn
Newbie
Posts: 15
Karma: 0
Re: Can't get Intrusion Detection working.
«
Reply #2 on:
April 08, 2018, 02:01:44 am »
1st of: opps i should do a better job of googling next time - sorry & thanks
I was following your guide: i got to part 4 - ids and ips, and noticed that i only put WAN in my interfaces list.
after including LAN & enabling IPS & applying i lost all connection to the internet
AND the admin web interface
. the result is instantaneous. I had to drop into the virtual console and restore settings from backup. as you probably know - once you restore settings opnsense recommends that you reboot the router. when i did that i got the screen shown in the included attachment - it looks like suricata is complaining. googling the error i get these hits:
https://forum.pfsense.org/index.php?topic=98787.0
https://redmine.openinfosecfoundation.org/issues/1496
so that's just suricata complaining that syslog wasn't enabled.
i went and turned it on... the internet still breaks the instant i enable IPS...
in your debug area you say to set all rules to alreat - i double checked and found that i had 1 drop rule:
Signature Id 2210057
Classtype protocol-command-decode
Message SURICATA STREAM 3way handshake toclient data injection suspected
«
Last Edit: April 08, 2018, 02:14:25 am by dieterarn
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Can't get Intrusion Detection working.