Intrusion Prevention System - core 131

General questions.
MysteryGoat
Posts: 6
Joined: May 18th, 2019, 9:47 pm

Re: Intrusion Prevention System - core 131

Post by MysteryGoat » May 18th, 2019, 10:06 pm

I'm not entirely certain if I'm having the same issue as everyone else so forgive me if I post off topic.

Just an fyi I'm a heavy noob when it comes to firewalls. And I end up forgetting most of what I learn since I don't mess with it every day.

So previously I was using the combination of guardian and snort to make ipfire useful. Now that I'm on 131 I gave the IPS a try, first using Talos (registered) and then Emergingthreats.net. Both of those are blocking a ton of legit websites, including ipfire.org and their wiki which I find hilarious but also frustrating. I have a couple of other things I'm trying to figure out and work around and having IPS blocking helpful websites is becoming a pain. Talos was much worse than ET but even that one is starting to cause issues. What's weird too is sometimes the connection goes through then others it completely refuses it.

I'm not certain if this issue is related to what you guys are talking about or if I'm doing something wrong or using a wrong rule or what. I've turned a bunch of rules on and off to try and narrow it down but that's not really working.

This is also after having the reinstall Ipfire because when I went to update the core, I rebooted and it seemed to have completely wiped my drive. I had directories in there but I couldn't find any files.

If you have any suggestions I'd love to hear them since It seems pointless to be using Ipfire if the IPS isn't turned on. (I've finally turned it off because I got too frustrated with websites not loading.)

tg92
Posts: 16
Joined: February 25th, 2016, 10:27 am

Re: Intrusion Prevention System - core 131

Post by tg92 » May 19th, 2019, 8:08 am

hi,

I have finaly found my logs, they are in /var/log/messages.

I confirm the previous post, I have exactly the same kind of errors from rules.


And the second trouble is when I enable suricata on orange network, this network is not working well, vnc connexion is broken and fetchmail is broken too.

For information you can choose the log level for suricata with the following keywork (in file /etc/suricata/suricata.yaml modify the line default-log-level: notice)
"None"
"Emergency"
"Alert"
"Critical"
"Error"
"Warning"
"Notice"
"Info"
"Perf"
"Config"
"Debug"


Thx

Mentalic
Posts: 31
Joined: April 14th, 2018, 2:51 pm

Re: Intrusion Prevention System - core 131

Post by Mentalic » May 19th, 2019, 1:46 pm

I'm having trouble connecting with some sites as well and noticed that some DNS query's are being blocked. Take a look at your rDNS status on tabs STATUS>NETWORK(External) . My rDNS was showing failed and takes a while to even load that status page. Another way to test is to try to ping your blocked sites by name. Soon as I shutdown the IPS I can reach my previously blocked sites.
Image
Image

tg92
Posts: 16
Joined: February 25th, 2016, 10:27 am

Re: Intrusion Prevention System - core 131

Post by tg92 » May 19th, 2019, 3:44 pm

Hi,

Great remark, i have tested with ET community rules and I have now some logs in the IPS log viewer.
Great news

Thx

MysteryGoat
Posts: 6
Joined: May 18th, 2019, 9:47 pm

Re: Intrusion Prevention System - core 131

Post by MysteryGoat » May 19th, 2019, 7:05 pm

Mentalic wrote:
May 19th, 2019, 1:46 pm
I'm having trouble connecting with some sites as well and noticed that some DNS query's are being blocked. Take a look at your rDNS status on tabs STATUS>NETWORK(External) . My rDNS was showing failed and takes a while to even load that status page. Another way to test is to try to ping your blocked sites by name. Soon as I shutdown the IPS I can reach my previously blocked sites.
I'm using the cloudflare DNS, 1.1.1.1 and that's what my rDNS says. one.one.one.one

So I turned IPS on overnight, I now have a log by the way. Not sure what to make of it though. But again I couldn't even connect to ipfire.org. Once I shut down IPS everything ran as normal.

ipfireuser5150
Posts: 32
Joined: May 18th, 2019, 5:28 pm

Re: Intrusion Prevention System - core 131

Post by ipfireuser5150 » May 19th, 2019, 8:14 pm

FYI, I too noticed legit sites being blocked when I turned the IPS on, including this forum and another forum I frequent. I tried experimenting with different rulesets, but it seems that eventually, these two forums will be blocked even with only one or two "safe" rulesets enabled. IPS Logs aren't showing these forum IPs in the ruleset activations, and nothing is showing in the Guardian block list. I even browsed through the general Firewall logs and couldn't spot these IPs being blocked. I never used the IPS when it was based on snort, I was just trying this out, but I ended up just turning it off because it was too time-consuming trying to troubleshoot what exactly was causing the forums to be blocked. This is on my home network. I also use IPFire at work, but have not upgraded it to 131 yet. Waiting for the dust to settle.

Maybe coincidentally (?), I too am using Cloudflare DNS in IPFire.

Mentalic
Posts: 31
Joined: April 14th, 2018, 2:51 pm

Re: Intrusion Prevention System - core 131

Post by Mentalic » May 19th, 2019, 11:09 pm

I'm also using cloudfares dns. Sometimes the rDNS status looks good but ping by name fails, don't know how often that status page updates.. Also there's never anything logged in IPS.
Image
Image

Mentalic
Posts: 31
Joined: April 14th, 2018, 2:51 pm

Re: Intrusion Prevention System - core 131

Post by Mentalic » May 20th, 2019, 12:41 am

Switched dns to verisign and so far its not failing like cloudfare dns was. Cloudfare would begin to fail fairly quickly.
Image
Image

MysteryGoat
Posts: 6
Joined: May 18th, 2019, 9:47 pm

Re: Intrusion Prevention System - core 131

Post by MysteryGoat » May 20th, 2019, 1:01 am

I'm assuming that's with IPS on? I'll try switching it too. But I was using the same DNS before I updated and I wasn't having these issues. And again, I don't have issues when IPS is off.

UPDATE: So I switched to Google's DNS and I'm getting significantly better results. Which again I find incredibly strange considering I've been running on the cloudflare DNS the entire time before updating and had no issues. I had one hiccup while testing some streams but was able to narrow it down in the log and disable the rule. I had another hiccup on a website that would load for me but wouldn't load pictures or graphics, it was just text. Looks like it got tagged by two different sipvicious rules which I find odd since it SHOULD be a legit site but I didn't want to fool with it for a site that really wasn't that big of a deal.

dilse
Posts: 39
Joined: August 12th, 2014, 8:09 am

Re: Intrusion Prevention System - core 131

Post by dilse » May 21st, 2019, 8:06 am

Did you guys manage to get Talos VRT rules to work. I am also experiencing issues as follows:

Enable Emergingthreats.net Community Rules - IPS Log shows entries.
Enable Talos VRT rules for registered users - IPS Log shows no entries.

My IPfire was upgraded from previous version, using IDS.

I know a colleague, who upgraded, but never used IDS, and his IPS Log using Talos, is working fine. Could this be a clue?

I've not tried a clean install yet, but would like to avoid it, if possible.

dilse
Posts: 39
Joined: August 12th, 2014, 8:09 am

Re: Intrusion Prevention System - core 131

Post by dilse » May 21st, 2019, 10:56 am

Ignore that, I had to enable some rules within the ruleset.

But, I might move back to Emergingthreats, due to the amount of errors the Talos once are generating.

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: Intrusion Prevention System - core 131

Post by TimF » May 22nd, 2019, 7:25 pm

This has been mentioned somewhere (unfortunately I can't find the reference at the moment) - Suricata doesn't understand all of the rule syntax that Snort does (at least at the moment). Since Snort defined the rule syntax, it's possible that Suricata will support the additions in the future. In the meantime, Suricata will ignore rules it doesn't understand, which will be a small proportion of the total. It will use the remaining rules. Since the Talos VRT registered/subscribed rule sets are much bigger than the ET community rule set, they're probably still a better choice providing your hardware can support them, even with a small number of rules ignored.

A major difference between the two rule sets is that the ET community rules include some IP address blacklists (DSHIELD, CIARMY, DROP). These detect traffic from the IP addresses of known bad actors; however this traffic would normally be rejected anyway by the default policy. I get several thousand alerts from these blacklists every day, but rarely get any other alerts. If you're not seeing any alerts from the Talso VRT rules it could be down to this difference, rather than the rules not working.

dilse
Posts: 39
Joined: August 12th, 2014, 8:09 am

Re: Intrusion Prevention System - core 131

Post by dilse » May 22nd, 2019, 7:35 pm

Thanks for the that explanation, makes sense.

Agreed, 108MB (Talos) compared to 2.3MB (EM), big difference. Now I'll switch back to Talos :)

MysteryGoat
Posts: 6
Joined: May 18th, 2019, 9:47 pm

Re: Intrusion Prevention System - core 131

Post by MysteryGoat » May 23rd, 2019, 1:08 am

I switched back to talos also to test it and it's still running so much better using the Google DNS. I still have a couple of hiccups of it blocking some things here and there but now that I know better of what I'm doing I should be able to weed it out.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Intrusion Prevention System - core 131

Post by H&M » May 23rd, 2019, 4:07 am

Did anybody of you found a way to use both ET and Talos?

Post Reply