Suricata IPS mode issue

[L1ghtn1ng]

When playing around with the default packet size advanced option even when I set it to the MTU of my network I still get downloads sometimes stalling or when trying to fetch or push from github it always times out.

When I disable suricata I do not have this issue.

On OPNsense 17.1.7 64 bit A10 with the default-packet-size patch applied that is coming in 17.1.8

I also run a proxy as well. I have been having this issue for a very long time and would love to have this issue resolved.

cc @fichtner

[AdSchellevis]

there's not a lot of info in the issue, but have you tried enabling IPS on the other interface to narrow it down a bit (if you're using wan now, switch to lan and repeat the same test)?

[L1ghtn1ng]

I have tried it with wan and I have no issue as it does not seem to inspect the traffic as it does not block the eicar test file. I have it now set to wan & lan it does inspect traffic and block the eicar file but only on the lan side. I did send earlier reports to franco via email.

[AdSchellevis]

you're using pppoe, aren't you? That might explain why suricata doesn't see the traffic on the wan side. It's probably best not to enable both, if one of them wasn't functional before.

[L1ghtn1ng]

Yes, will disable it on the WAN then and just leave it on the LAN but would also love to have it work on the WAN as well though.

Sent from phone

---

From: Ad Schellevis notifications@github.com Sent: Friday, May 26, 2017 5:37:11 PM To: opnsense/core Cc: J.Townsend; Author Subject: Re: [opnsense/core] Suricata IPS mode issue (#1659)

you're using pppoe, aren't you? That might explain why suricata doesn't see the traffic on the wan side. It's probably best not to enable both, if one of them wasn't functional before.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/opnsense/core/issues/1659#issuecomment-304329526, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADddQg-H3L8dc8UAqHwHx_uB3D2uBjhuks5r9v-3gaJpZM4NnyDJ.

[AdSchellevis]

I'm not sure if suricata/netmap supports pppoe decapsulation, although I don't think they do. netmap on pppoe interfaces is not supported as far as I know.

I don't mind leaving the issue open, but if it's related to pppoe and/or missing support in either netmap or suricata I don't expect it's something we can solve.

[L1ghtn1ng]

I have let Victor know and he is traveling at the moment so hopefully we will get his input soon

Sent from phone

---

From: Ad Schellevis notifications@github.com Sent: Friday, May 26, 2017 5:45:30 PM To: opnsense/core Cc: J.Townsend; Author Subject: Re: [opnsense/core] Suricata IPS mode issue (#1659)

I'm not sure if suricata/netmap supports pppoe decapsulation, although I don't think they do. netmap on pppoe interfaces is not supported as far as I know.

I don't mind leaving the issue open, but if it's related to pppoe and/or missing support in either netmap or suricata I don't expect it's something we can solve.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/opnsense/core/issues/1659#issuecomment-304331534, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADddQgGpirqIcL0vjx__cCw-QTJFQ1Qsks5r9wGqgaJpZM4NnyDJ.

[L1ghtn1ng]

@AdSchellevis Just out of curiosity how hard would it be to get PPPoE decapsulation support in netmap if it does not support it? As the amount of users that have issues due to this is high. In my opinion this is a bug, but I think other people will think otherwise.

[AdSchellevis]

@L1ghtn1ng if I'm not mistaken you need netmap support on the pppoe device to make it work (or decapsulation support in suricata to capture the traffic on the real interface), not really my area of expertise, but I figure it's quite some work.

[L1ghtn1ng]

I use a A10 so that does not have support for it?

Sent from phone

---

From: Ad Schellevis notifications@github.com Sent: Sunday, May 28, 2017 10:17:16 AM To: opnsense/core Cc: J.Townsend; Mention Subject: Re: [opnsense/core] Suricata IPS mode issue (#1659)

@L1ghtn1nghttps://github.com/l1ghtn1ng if I'm not mistaken you need netmap support on the pppoe device to make it work (or decapsulation support in suricata to capture the traffic on the real interface), not really my area of expertise, but I figure it's quite some work.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/opnsense/core/issues/1659#issuecomment-304502450, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADddQsSftJ8TDHHl7XcgeHFgqKVF813hks5r-TucgaJpZM4NnyDJ.

[AdSchellevis]

Intel network cards (like the A10 uses) have the best known netmap support, but you either need support in FreeBSD for the virtual driver (pppoe/mpd5) or suricata should be capable of decoding the pppoe stream.

[L1ghtn1ng]

So to try and make it clear and provide more information for victor when downloading in firefox it will start the download and get to a certain point in the download and just stop. It never recovers, when restarting the download it sometimes manages to complete the download.

Since OPNsense 17.1.8 in the advanced tab you can now change the default packet size parameter in suricata.yaml with me putting it to 1500 as that is the MTU on the LAN it has helped. I still get the behaviour mentioned above but on the second go it now manages to download the file I am downloading at that moment in time.

If I disable Suricata everything works correctly i.e can download things first time and also am able to push,fetch,pull from github. If I enable Suricata in IPS mode I get the issues I have mentioned in this post.

I have also tried Suricata in IDS mode and everything also works correctly in that configuration as well.

So from this post I hope it is clear to everyone the issues I am having and would like if possible fixed.

[L1ghtn1ng]

@AdSchellevis with speaking to @inliniac via email I need the following in a patch that will allow me to enable the following taken from the email "if you enable drop log do you see drops? If so please share.

Additionally, if you enable stream events, do you get alerts? If so, please share those too. "

So I can provide victor with the information to track down the issues I am having. As if I try to enable them manually it will get over writen.

[AdSchellevis]

@L1ghtn1ng you can easily change settings in suricata.yaml for testing and restart suricata afterwards. Use the following statement to restart suricata without loosing changes made manually:

service suricata restart

[L1ghtn1ng]

@inliniac I have enabled more of the decoder-events.rules and made the alerts that I am getting so far changed them to block so I am getting the following in the drop.log

07/02/2017-20:46:12.940210: IN= OUT= SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x192 TTL=1 ID=0 PROTO=IGMP Unknown protocol
07/02/2017-20:48:18.381601: IN= OUT= SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x192 TTL=1 ID=0 PROTO=IGMP Unknown protocol
07/02/2017-20:50:23.823193: IN= OUT= SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x192 TTL=1 ID=0 PROTO=IGMP Unknown protocol

And this in the Web ui

2017-07-02T20:50:23.823193+0100 blocked 0.0.0.0 224.0.0.1   SURICATA IPv4 padding required  
2017-07-02T20:48:18.381601+0100 blocked 0.0.0.0 224.0.0.1   SURICATA IPv4 padding required  
2017-07-02T20:46:12.940210+0100 blocked 0.0.0.0 224.0.0.1   SURICATA IPv4 padding required 

[L1ghtn1ng]

I have also gotten this alert as well SURICATA STREAM CLOSEWAIT FIN out of window in the alerts tab

[L1ghtn1ng]

This one also SURICATA STREAM 3way handshake wrong seq wrong ack

[L1ghtn1ng]

SURICATA STREAM Packet with invalid timestamp

[L1ghtn1ng]

@AdSchellevis Do you think you would be able to get help with this issue from @inliniac?

[AdSchellevis]

@L1ghtn1ng sorry, too busy, I honestly don't think this works like you would like it to work.

[abraxxa]

I have enabled Suricata again just to find out that my guest network isn't working because it's on the internal lan interface with vlan tagging. VLAN Hardware Filtering is set to 'Leave default', all offloadings are disabled as per OPNsense IPS docs. The physical LAN interface is the only one I've selected in the IPS settings, the Guest VLAN interface is listed but according to what I've read it only works in promiscuous mode on physical interfaces. The NIC is a Realtek RTL8111F on a Gigabyte GA-J1900N-D3V mainboard.

[abraxxa]

After updating to 17.7.1_2 which includes Suricata 4.0.0 I've tried again, this time also enabling the IPS on the Guest VLAN in addition to the untagged, which is my internal network, and it works! Have there been any changes besides the Suricata update which might have affected this? How should it be configured when you have one interface with one untagged network and one tagged connected? An earlier issue states that you should only enable the IPS on physical (untagged) interfaces and a GUI patch was applied back then to only list such interfaces. Is this still the fact of is it possible to run the IPS on VLAN interfaces too these days?

[fichtner]

@abraxxa there were two patches in 17.7.1 that affected VLAN (re)configuration workflow away from Suricata itself, @adschellevis said this helped with stability of Suricata on VLANs and it seems he was right about it.

Other issues mainly address interfaces types like PPPoE (mpd5-based connections) that are not fully physical on the upper layer as the interface would present itself and this fails for IPS (Netmap mode) although IDS mode works all the time (PCAP/BPF mode).

[abraxxa]

I've read about the PPPoE issue and therefore haven't enabled Suricata on the outside interface(s) (native IPv4 via PPPoE and 6in4 via Tunnelbroker over that PPPoE connection). Should this work now as well? If so I'd deactivate the IPs on the internal interfaces and enable it only on the two outside ones.

[fichtner]

Most likely still problematic. This is FreeBSD kernel territory, which didn't change since January 2017 when we moved to FreeBSD 11.0.

[L1ghtn1ng]

Just tested on the WAN interface and still does not work with pppoe

---

From: Franco Fichtner notifications@github.com Sent: Monday, September 4, 2017 9:16:35 PM To: opnsense/core Cc: J.Townsend; Mention Subject: Re: [opnsense/core] Suricata IPS mode issue (#1659)

Most likely still problematic. This is FreeBSD kernel territory, which didn't change since January 2017 when we moved to FreeBSD 11.0.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/opnsense/core/issues/1659#issuecomment-327023282, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADddQj6qV6LeX3P65mhWf6E645-aCz3Kks5sfFqjgaJpZM4NnyDJ.

[L1ghtn1ng]

@fichtner @AdSchellevis I have 2 suggestions that I would like to put forward that will help track down issues and help work around them.

• Add gui support for http://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html which should I hope to allow me to workaround my github/git issues with IPS mode enabled and should help other people that have issues as well

• Add gui logs tab and enable extra logs that are not enabled that will allow people to debug suricata issues far easier with log rotate on these logs as well to save disk space

[AdSchellevis]

timeout / solved or moved to https://github.com/opnsense/core/issues/2110