From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: IPFire meets Suricata - Call for tester Date: Sun, 16 Dec 2018 21:28:57 +0100 Message-ID: <0c384081-dcdf-e4d4-763e-c7c73a1db34b@link38.eu> In-Reply-To: <4b2449de-a247-df6f-d7ac-d8a0e5dae3e7@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2954450968023525619==" List-Id: --===============2954450968023525619== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Stefan, to be a bit more precise about the NAT issue: My setup is the IPFire Suricata test VM running in KVM, with two clients (Debian and OpenBSD) directly attached to it. The Debian machine is located in GREEN, OpenBSD in ORANGE. RED interface is connected via bridge to my actual testing LAN; for the first testing, any outgoing traffic to the internet was allowed (I will test upstream proxy behaviour later). While GREEN was using IPv4 range 192.168.100.0/24, with IPFire as 192.168.100.1, enabling Suricata caused packets coming from GREEN not to be NATted anymore: Instead of using the firewall's RED IP for destination, it was the internal GREEN IP. Let me know whether is is useful or not. :-) Thanks, and best regards, Peter M=C3=BCller > Hello Stefan, >=20 > back again. :-) >=20 > The new IDS WebUI looks quite good so far - enabling/disabling > Suricata works as well as selecting the rule source and the > operation mode (IDS/IPS). >=20 > I was also able to download the "Snort/VRT Community" ruleset. > Trying to switch to the "Emerging Threats" ruleset is possible, > but downloading its ruleset afterwards is not: The GUI simply > stalls, printing a message that "Snort (!) is performing a task". >=20 > The WebUI services page still shows IDS status for each interface, > which does not seem to work anymore (everything is stopped, but > Suricata was active on RED and GREEN). >=20 > Further, a client located in GREEN behind the test firewall > instance is unable to browse the internet as soon as Suricata is > enabled. If disabled, downloading ET rulesets work as well as > internet traffic. At the moment, I am flying blind here, but it looks > like packets are not NATted anymore if Suricata is active. >=20 > Any outgoing connection is in state "SYN_SENT" if Suricata is active. >=20 > A portscan against the firewall (GREEN interface) is not detected, > even though ET SCAN ruleset is enabled (used nmap with NSE active). >=20 > Especially the outgoing connection/NAT/? issue mentioned above > breaks things in my scenario. Anything else are minor issues (of > course, a portscan should be detected, this needs further investigation > indeed). WebUI works fine so far. >=20 > Thanks again for your work; I hope the feedback can appreciate it somehow. = :-) >=20 > Let me know if there are questions. >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============2954450968023525619==--