IDS working, IPS not working

[glasi]

Hi all,

I am experiencing some issues with IDS/IPS on OPNsense 18.1.8.

As I am new to IDS/IPS I am currently just using OPNsense/test rules as a very basic setup. In a first step I just have enabled the IDS functionality. The test rules work pretty fine.  E.g. access to the EICAR testfile will generate an alert and will be logged by OPNSense.

As soon as I enable IPS the problems are arising. Once again, I will access the EICAR test file. But now NEITHER an alert is being generated NOR the access to the file is being blocked.

Once I have disabled IPS again, logging works again like expected.

Am I missing something? Or is there a bug in the IPS module?

Is someone having the same issue?

[glasi]

IPS still not working as expected.

However, I realized that IDS mode also is causing troubles when I use third party rulesets, e.g. abuse.ch/URLhaus.

While access to the EICAR testfile is at least logged by OPNsense test ruleset, the system remains completely silent on any third-party rules.

[franco]

It depends on your LAN and WAN, where you are listening and what physical interface you have in IPS mode.

Can you provide this info for us?


Cheers,
Franco

[glasi]

Hi Franco,

thanks for spending some time on my issue.

Currently, OPNsense (WAN) is connected to my FTTH modem via ix0 interface. However, in OPNsense my WAN interface is assigned to pppoe0 (ix0_vlan7).

If I understand you correctly, this configuration might be the reason for my issues. Should I create a new "IPS" interface which is directly assigned to the physical ix0 interface and use this IPS interface instead of WAN interface within the IDS/IPS module?

[glasi]

Still not working. 

Tried the following interface configurations:

WAN:  pppoe0 (ix0_vlan7)
IPS:     vlan7 on ix0 (PPPoE)
IPS:     ix0


No success at all. Last example completely freezes my internet connection when enabling IPS mode.

[franco]

IPS does not work on PPPoE. If someone has the time to follow up with the initial report I'm leaving the link here. I don't have a setup to reproduce:

https://redmine.openinfosecfoundation.org/issues/1925


Cheers,
Franco

[schnipp]

IPS should work if the pppoe parent's interface is used hence a pppoe decoder is included in suricata. Using the parent interface and the test rules of Opnsense in IPS mode, the Eicar test file is successfully blocked. But the other rules do not seem to work.

Yesterday, I started the IPS for an overnight test. This morning I noticed system instability due to a crash of some components. To get the system running again, I had to reboot the machine.

[glasi]

Franco, thank you for referring to the potential PPPoE problems.

However, Schnipp is right that Suricata supports both PPPoE and VLAN decapsulation. So it's all the more incomprehensible and confusing that it still does not work in IPS mode.

As far as I understood, IDS uses simple packet capture while IPS utilizes netmap. Unfortunately, I have not found any reliable information on how far netmap can handle PPPoE and VLAN.

During some analysis I have seen that the output in /var/log/suricata/stats.log differs between IDS and IPS mode. While in both modes Suricata logs the decoding of IP, ethernet, TCP, UDP, PPPoE packets etc., app layer parsing/inspection seems to be different.

In IDS mode the following app layer parsings are logged:

Code: [Select]

app_layer.flow.http
app_layer.tx.http
app_layer.flow.tls
app_layer.flow.dns_udp
app_layer.tx.dns_udp
app_layer.flow.failed_udp
In IPS mode I just can see the following app layer parsings:

Code: [Select]

app_layer.flow.dns_udp
app_layer.tx.dns_udp
app_layer.flow.failed_udp
Any idea, how I can increase Suricata verbosity level to see more log details and error messages?