Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    No alerts from pfsense/Suricata in Virtualbox

    IDS/IPS
    2
    8
    55
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TractorZumi last edited by

      Hello there,

      I am trying to setup a test-lab to make some comparisons between suricata and snort.

      I did set up a Host-Only Network (172.16.100.0/24) via Virtualbox containing a Metasploitable-VM and a fresh Ubuntu-installation.
      Also I created a Nat Network (10.0.100.0/24) containing a Kali-Linux VM.
      Both networks are connected via pfsense which seems to work, since the VMs can Ping each other and all the VMs can connect to the internet.

      7205fec5-852f-482d-9487-a3907eb00336-image.png

      But shouldn't I get alerts when running nmap-scans from the Kali-VM against anything inside the Host-Only-Network?

      Suricata is running on both, the WAN and LAN interface of pfsense.

      bc169b74-6343-4f04-b210-a9a531045143-image.png

      Home_Net is on default:

      93d3a6e5-e4c7-44dc-b165-2cc507436865-image.png

      Nat-Network: 10.0.100.0/24
      Host-Only-Network: 172.16.100.0/24
      Kali-Ip: 10.0.100.5/32
      Metasploitable-Ip: 172.16.100.11/32

      Any help would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        You don't mention what rules, if any, you have enabled. Do you actually have the correct rules in place on the interfaces to detect your scans?

        I use a similar setup all the time when testing new releases of the Snort and Suricata packages before posting them. I usually use the ET-Scan rules category and run a simple nmap SYN scan against a target like so:

        nmap -sS <target_ip>
        

        If you are not seeing alerts, and you have the proper rules deployed, then I would double-check my virtual switch setup to be sure you are not bypassing the firewall with the traffic. I use VMware Workstation instead of Virtualbox for my testing.

        T 1 Reply Last reply Reply Quote 0
        • T
          TractorZumi @bmeeks last edited by TractorZumi

          @bmeeks
          Sorry for not mentioning the rules.

          I downloaded ETOpen rules, and Enabled all Categories.

          d332479b-73a6-4377-983d-37bb675e5c81-image.png

          I do now and then get some alerts, but these seem to be known false alerts.

          5008b0b1-4db4-46c0-8f10-ed7fd33f4dda-image.png

          How could it happen that my traffic bypasses the firewall?
          I thought it should not be possible to ping from my Nat-Network into the Host-Only-Network without pfsense connecting both networks.

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by bmeeks

            I'm not a Virtualbox user, so I can't say for sure what you should check to see about a bypass.

            I can tell you absolutely that Suricata works and will trigger alerts when you have the correct configuration. I do this all the time.

            By the way, you do not need to be using the "Custom URL" option for the ET Open rules. Just check the box to "Install ETOpen Emerging Threats Rules" and uncheck the "Use a Custom URL" box. It has nothing to do with your current problem, but you don't need that configuration. That option is there only for users that have a central internal server of their own where they want to distribute rules to internal clients. If you are downloading straight from emergingthreats.net, there is no need for a custom URL.

            What is your experience level with an IDS? Have you used Snort and Suricata in the past? Have you gone to the CATEGORIES tab for your interfaces and selected the rules categories there and saved the changes? Your screenshot of the ALERTS tab indicates you are only using the default built-in rules.

            T 1 Reply Last reply Reply Quote 0
            • T
              TractorZumi @bmeeks last edited by

              @bmeeks
              I unchecked the Custom URL box.
              And yes, I went to "LAN Categories" and selected all rules and saved.
              Then get the message "Suricata is 'live-loading' the new rule set on this interface."

              c776f522-b1c9-4612-9553-777a109a3b08-image.png

              It is my first IDS setup.
              I found in "Diagnostics"-Tab that it is only 1 hop to the Metasploitable VM and also 1 hop to kali, which makes me confident both VMs are connected to pfsense.

              9395cd4d-e3fa-4bdf-a286-935ece88c232-image.png

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by bmeeks

                Running tracert from your firewall itself does not mean much. It is not telling you how the Kali Linux VM, for example, is reaching the hosts you are scanning.

                You would want to run the tracert from the Kali Linux machine and see if the traffic is going "through" pfSense to reach the other hosts.

                Run this exact command from a shell prompt on your Kali host and see what you get-

                nmap -sS 172.16.100.11
                

                Then see if you have alerts in Suricata for scans against VNC ports and perhaps SQL Server and others from the Kali host to the host at 172.16.100.11.

                1 Reply Last reply Reply Quote 0
                • T
                  TractorZumi last edited by TractorZumi

                  @bmeeks

                  Traceroute from kali to metasploitable does not look too good :(

                  caf4b837-baf0-4066-a682-4b1f2a280630-image.png

                  but with -I option:

                  341764b7-8f65-42aa-9629-cd2cfd412685-image.png

                  So does this actually tell me that the traffic is not going through pfsense (WAN = 10.0.100.6/24, but somehow directly via the Virtualbox gateway?

                  Changed default gateway to pfsense-WAN, seems to work now (except no internet anymore, but guess i can fix that somehow, too).

                  I do get alerts!!! :)

                  88aecd99-f020-458d-89c2-7b428063c089-image.png

                  Thank you very much!
                  Let love rule!

                  1 Reply Last reply Reply Quote 0
                  • bmeeks
                    bmeeks last edited by

                    I'm not a Virtualbox user, so I can't help you there. Host networks in workstation-level hypervisors can be tricky. You really need the concept of virtual switches like you can use in ESXi and other hypervisors. That way you can keep things separate.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy