Suricata true inline IPS mode coming with pfSense 2.3 – here is a preview
-
I have posted the pull request containing the latest bug fixes. After review by the pfSense developers, it will be merged and then show up as an update on the System > Packages > Installed Packages tab for pfSense 2.3-BETA users.
Here is a link to the pull request with a list of the fixes: https://github.com/pfsense/FreeBSD-ports/pull/84
Bill
-
Hi Bill,
I test 3.0_1, found below.
1. Enable emerging-scan.rules from categories, and disable sid A from SID Mgmt, It not show "Auto-disabled by SID Mgmt" from rules.
2. Add emerging-scan to enablesid.conf, Categories show emerging-scada.rules and emerging-scan.rules. But Add emerging-scan.rules, It correct.
3.Add emerging-scan.rules to disable.conf and enablesid.conf, Whether I use "disable,enable" or "enable,disable" to State Order, It show "Category is auto-disabled by SID Mgmt conf files".
4.IP Lists, It missing -> http://emergingthreats.net/products/iqrisk-rep-list/
5.Auto-enable rules required for checked flowbits, Default is Checked, but not checked.
Could you check it please?
-
Hi Bill,
I test 3.0_1, found below.
1. Enable emerging-scan.rules from categories, and disable sid A from SID Mgmt, It not show "Auto-disabled by SID Mgmt" from rules.
2. Add emerging-scan to enablesid.conf, Categories show emerging-scada.rules and emerging-scan.rules. But Add emerging-scan.rules, It correct.
3.Add emerging-scan.rules to disable.conf and enablesid.conf, Whether I use "disable,enable" or "enable,disable" to State Order, It show "Category is auto-disabled by SID Mgmt conf files".
4.IP Lists, It missing -> http://emergingthreats.net/products/iqrisk-rep-list/
5.Auto-enable rules required for checked flowbits, Default is Checked, but not checked.
Could you check it please?
I am looking into this. I did some testing using another set of conditions over the weekend and it seemed to work. This morning, however, I was able to reproduce your issue.
UPDATE: I found the problem with auto-management icons. It is a cosmetic display issue only, so the rules are actually being managed as defined in the SID MGMT files. I will post the fix for the display problem soon. Working on a couple of other user-reported issues as well. The IQRisk download problem is also identified and will be fixed. That one was a failure to declare a variable as global when used in a function call.
Bill
-
Look for an update soon that addresses the user-reported bugs above. The pull request is here: https://github.com/pfsense/FreeBSD-ports/pull/85.
Bill
-
I use SID State Order(disable,enable), add emerging-scan.rules to disablesid.conf and add sid A to enablesid.conf, I didn't see any enable rules. Sid A is also not in XXX/rules/suricata.rules :)
I use pcre:xxxxx, It can be selected, but use pcre:"xxxxx", It can't.
By the way, Is it possiable for drop all match rules traffic? Do you have any suggestions?
Thanks!
-
Latest Suricata bug fix is now available for download. Here is what the pfSense-pkg-suricata 3.0_2 package update addresses.
Bug Fixes
-
Rules auto-managed by SID MGMT tab files are not tagged correctly on the RULES tab.
-
IQRisk IP Reputation files not downloading for users with subscription code.
-
Icons indicating rule GID:SID added to Supress Lists get duplicated when IPs are the same on ALERTS tab.
-
Snort VRT rules checkboxes not auto-disabled when IPS-Policy is selected on CATEGORIES tab.
-
PCRE selection of SIDs not working correctly for auto-SID management.
Known Limitations:
At the moment, if you try select a Snort VRT IPS Policy and try to view all the rules selected by the policy on the RULES tab, you will crash the PHP process for the Suricata GUI and get a blank browser screen. This happens because the large IPS Policy rule set for the "Balanced" or "Security" policies exhausts the maximum PHP memory pool allowed by current pfSense settings. A solution for that is being looked into by the pfSense developers. In the interim, do not attempt to view an IPS Policy rule set on the RULES tab. Note that although doing so will crash the PHP process showing you the RULES tab page, it won't impact the firewall operation and will not crash the Suricata binary. It just crashes the individual process that was attempting to display the rules.Bill
-
-
I use SID State Order(disable,enable), add emerging-scan.rules to disablesid.conf and add sid A to enablesid.conf, I didn't see any enable rules. Sid A is also not in XXX/rules/suricata.rules :)
This is by design. The logic excludes based on the largest net. So if you disable a category by putting it in the disablesid.conf file, then none of that category's rules can be used. Enabling individual SIDs from an excluded category in the enablesid.conf file is not possible (because the whole category has been excluded). It would be better to use SID ranges from the category in the two files and work out a solution that way. The biggest "excluding" statement wins between the two files (enablesid and disablesid). What the "order" drop-down controls is which conf file runs first and which last. So if you have the order set to "enable/disable" and you enable a category in enableside.conf and you disable the same category in disablesid.conf, then the category's rules are not present in the enforcing rules array at all because the entire category has been disabled. On the other hand, if you leave the conf files the same but switch the "order" drop-down to "disable/enable", then the category will be enabled and its rules present in the enforcing rules array because the enablesid.conf file ran last and enabled the category even though the disablesid.conf had previously disabled it.
I use pcre:xxxxx, It can be selected, but use pcre:"xxxxx", It can't.
Yeah, that was a typo by me in the example. You do not need the quote marks. Just use the format pcre:xxxx. There was also an unneeded called in that part of the code to the preg_quote() function. That caused the PCRE compare to fail as well. This is fixed in the update just posted this morning.
By the way, Is it possiable for drop all match rules traffic? Do you have any suggestions?
Not sure I understand what you are asking me here. If you just want all triggered rules to cause traffic to be blocked, you will need to switch back to legacy mode on the interface. That will let a few packets leak through, though, as I explained in previous posts. There is no way without rewriting the Suricata binary to have it "drop" all alerts the way legacy mode works.
Bill
-
How to evaluate performance and detect packet loss for pfSense 2.3 in inline IPS mode? stats.log or?
Thanks again!
-
How to evaluate performance and detect packet loss for pfSense 2.3 in inline IPS mode? stats.log or?
Thanks again!
I think that log primarily shows how much time was spent analyzing particular rules. But I don't remember for sure. It's been a long time since I activated the stats.log option and looked over the log.
Bill
-
hmm…
I can't see capture.kernel_drops in stats.log. :P
-
Hi Bill,
I can't start Barnyard2, I use Syslog Output.
It's seem none barnyard2 installed.
Can you check?
Thx!
-
Hi Bill,
I can't start Barnyard2, I use Syslog Output.
It's seem none barnyard2 installed.
Can you check?
Thx!
Yep, it looks like the Barnyard2 binary is not there. I will need to investigate how it got missed in the build/run dependencies. It should have been installed along with Suricata. In the meantime, you should be able to just install it using pkg from the command line.
Bill
-
A quick fix for the missing Barnyard2 binary was posted today by the pfSense team. If you remove and then reinstall Suricata, it should bring along Barnyard2 now like it did in the past.
Bill
-
There has been nothing new on this project in many months. Is it dead? I certainly hope not, but I assume we are waiting on improvements to netmap which hasn't been updated in quite a while. Suricata 3.1.1 is out now and seems to be in current development.
I could really use this package as I am sure many others are chomping at the bit for it.
Progress preview maybe?
Dan
-
I guess this really is a dead project after all. It's a real shame.
-
This desperately needs to happen… I need Inline mode so bad, I can't describe how badly I need it. We have so much junk traffic tossed at valid IPs that perfectly good sites get blocked and many web/cloud based tools that my faculty and staff depend on become useless.
I've tuned Suricata rules until I can't see straight, and still, valid sites get blocked.
Come on devs, roll this stuff out! We are all rooting for you (and whining a bit).
Suricata 3.1.1 has been out for a while now in production, I wonder if there are still underlying netmap/driver issues causing problems with Inline mode?
-
I installed suricata, and the installer complained about some mysql client vulnerability that will not be patched. Something to be worried about?
-
@<deleted>:</deleted>
Suricata package has been updated today from 3.0_7 to 3.0_8.
From the changelogs I see only a fix for "Suricata, a broken download should not wait forever." ,and some changes in licenses.
@bmeeks I don't understand, why not jumping to the latest version, with latest fixes, because they are alot ?
10x
I have been very busy with other work outside of my volunteer package maintainer duties for Suricata and Snort. The other work pays me, the volunteer maintainer duties do not … ;).
I am testing the latest 3.1.1 binary this weekend and hope to have a pull request posted very soon.
Bill
-
Will inline IDS be working with the latest Suricata update?
-
Will inline IDS be working with the latest Suricata update?
Hopefully better than it currently does. The issues are pretty much all netmap related as netmap is a relatively new technology. Suricata has had some upstream bugs reported around the netmap interface used for inline mode. A lot of those reported issues are fixed in the 3.1.1 release.
Bill
