IPS not blocking even though get blocked alerts #3211
Comments
|
Can you check if rules in /usr/local/etc... are alert or drop? |
|
They are drop except for 1 rule in each file and in a few I have the following example #@opnsense_download_hash:<hash> |
|
@L1ghtn1ng the |
|
It worked fine in 18.1 and no idea about 18.7 as I skipped that release due to an issue with the firewall and using a unifi security gateway till now.
…________________________________
From: Ad Schellevis <notifications@github.com>
Sent: Sunday, February 10, 2019 10:18:46 AM
To: opnsense/core
Cc: J.Townsend; Mention
Subject: Re: [opnsense/core] IPS not blocking even though get blocked alerts (#3211)
@L1ghtn1ng<https://github.com/L1ghtn1ng> the @opnsense_download_hash doesn't do anything, it's for version control. When did your issue first appear? (up to which version are you sure your setup functioned?)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#3211 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADddQj3Ii-vcbEkCdxiNvgjl-LhEg_Yvks5vL_IGgaJpZM4aysCP>.
|
|
@L1ghtn1ng I think we got a bug here, can you try to install an older version, restart suricata (wait until fully loaded, cpu usage drops), and confirm that this issue is gone? To revert to the production version: Make sure you can access the machine using another interface/console, in case netmap interferes with your traffic. |
|
I can confirm that having reinstalled the eicar test rule, clearing out
cache and cookies with the 18.1 version of suricata installed it has
actually blocked the download from happening
…On Sun, 2019-02-10 at 05:18 -0800, Ad Schellevis wrote:
@L1ghtn1ng I think we got a bug here, can you try to install an older
version, restart suricata (wait until fully loaded, cpu usage drops),
and confirm that this issue is gone?
pkg add -f
https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/latest/Latest/GeoIP.txz
pkg add -f
https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/latest/Latest/suricata.txz
service suricata restart
To revert to the production version:
pkg install suricata
pkg remove GeoIP
service suricata restart
Make sure you can access the machine using another interface/console,
in case netmap interferes with your traffic.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
ok, can you do the same with suricata 4.0.6 from 18.7? and then the exact same with suricata 4.1.0, to track when this issue seems to have appeared for the first time. Thanks in advance! |
|
Do not know if it makes a difference or not but I am using libreSSL instead of OpenSSL, will the commands above still be okay? |
|
oops, no, you need the Libre files, change |
|
Is this something to worry about? root@firewall:~ # pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.9/LibreSSL/All/suricata-devel-4.1.0.txz =========================================================================== If you want to run Suricata in IDS mode, add to /etc/rc.conf: NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode. However, if you want to run Suricata in Inline IPS Mode in divert(4) mode, NOTE: Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed NOTE: RULES: Suricata IDS/IPS Engine comes without rules by default. You should http://www.openinfosecfoundation.org/documentation/rules.html You may want to try BPF in zerocopy mode to test performance improvements: Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf =========================================================================== |
|
not really, the files overlap. if you reinstall the originals when done you should be ok. |
|
I can confirm that the problem happens with this version of suricata as all the other versions worked fine pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.9/LibreSSL/All/suricata-devel-4.1.0.txz |
|
@L1ghtn1ng thanks for confirming, we'll try to debug some more and take it up with the suricata people. |
|
No problem, I also have it set to block on lan and using hyperscan |
|
Just posting some stuff for my own reference, compiled some different versions and things seem to break between these commits: [defective 6/2/2018] OISF/suricata@e96d9c1 |
|
@L1ghtn1ng ok, @inliniac helped us find the issue https://redmine.openinfosecfoundation.org/issues/2811 Can you try the following on your machine? Make sure the latest suricata version is installed: Patch for https://redmine.openinfosecfoundation.org/issues/2811, using: Then go to the web interface and apply your settings, just to be sure, also stop/start suricata and test again. Thanks in advance! |
|
@AdSchellevis @inliniac I can confirm that the patch fixes the problem |
|
@L1ghtn1ng Thanks, case closed, I'll ask @fichtner to include the patch in 19.1.2 |
…dation.org/issues/2811, for #3211 (cherry picked from commit 8695737)
As the title says, I am getting the above. I have et-pro-telemetry rules and I did have the opnsense app detect test rule enabled to block eicar and I get the alerts for that but it does not actually stop the download. I am running 19.1.1
The text was updated successfully, but these errors were encountered: