Author Topic: Enabling IDS/IPS stops internet on interface  (Read 357 times)

Coarch

  • Zen Apprentice
  • *
  • Posts: 19
  • Karma: +1/-0
    • View Profile
Enabling IDS/IPS stops internet on interface
« on: April 26, 2021, 05:48:36 pm »
Zentyal 7.0

Enabling the IDS/IPS module on the outgoing ethernet interface disables internet traffic.  Has anyone seen this happen before?  Any ideas?
« Last Edit: April 29, 2021, 06:44:37 pm by Coarch »

spst

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +3/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #1 on: May 17, 2021, 02:30:49 pm »
Hello,

I have a similar problem. Zentyal 7.0, suricata 6.0.2, zentyal-ips 7.0.0, used virtual machine and br0 and eth0 interfaces

I installed the zentyal-ips package and it also installed the dependency suricata package. I enabled IDS/IPS and setup it on br0 then it disable all traffic (services) over LAN and suricata.service doesn't run and zentyal-ips module disabled.

When I enabled IDS/IPS and setup it on eth0 then LAN traffic enabled but suricata.service doesn't run and zentyal-ips module "Running".

I removed zentyal-ips and suricata then I install they again.
root@srv04:~# apt-get --purge remove zentyal-ips
root@srv04:~# apt-get --purge remove suricata
root@srv04:~# rm -rf /var/log/suricata
root@srv04:~# rm -rf /etc/suricata   
root@srv04:~# rm -rf /etc/default/suricata

root@srv04:~# apt-get install zentyal-ips

I checked suricata status
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Mon 2021-05-17 13:35:41 CEST; 35s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 14 (limit: 19013)
     Memory: 83.1M
     CGroup: /system.slice/suricata.service
             └─383442 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D>

máj 17 13:35:41 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:35:41 srv04 suricata[383422]: Starting suricata in IDS (af-packet) mode... done.
máj 17 13:35:41 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

I don't understand why it used suricata.yaml when /etc/default/suricata includes SURCONF=/etc/suricata/suricata-debian.yaml parameter.

I enabled IDS/IPS on Webadmin but not setup it any interface and suricata.service exited and doesn't use SURFCONF parameter
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (exited) since Mon 2021-05-17 13:38:27 CEST; 1min 4s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 0 (limit: 19013)
     Memory: 0B
     CGroup: /system.slice/suricata.service

máj 17 13:38:27 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:38:27 srv04 suricata[391965]: Starting suricata in IPS (nfqueue) mode... done.
máj 17 13:38:27 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

Can someone help me?

Thanks and Regards

webmaster

  • Zentyal Staff
  • Zen Apprentice
  • *****
  • Posts: 26
  • Karma: +2/-1
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #2 on: May 20, 2021, 01:24:03 pm »
Hello there,

Please see https://github.com/zentyal/zentyal/issues/2037 for further information. The proposed fix seems to be valid and will be integrated shortly. BR.

spst

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +3/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #3 on: May 20, 2021, 11:11:59 pm »
Hello webmaster,

thank your for the link. I now understand what this problem is and I am glad that they are already working on solving it.

Thanks and Regards