Author Topic: Enabling IDS/IPS stops internet on interface  (Read 5608 times)

Coarch

  • Zen Apprentice
  • *
  • Posts: 19
  • Karma: +1/-0
    • View Profile
Enabling IDS/IPS stops internet on interface
« on: April 26, 2021, 05:48:36 pm »
Zentyal 7.0

Enabling the IDS/IPS module on the outgoing ethernet interface disables internet traffic.  Has anyone seen this happen before?  Any ideas?
« Last Edit: April 29, 2021, 06:44:37 pm by Coarch »

spst

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +3/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #1 on: May 17, 2021, 02:30:49 pm »
Hello,

I have a similar problem. Zentyal 7.0, suricata 6.0.2, zentyal-ips 7.0.0, used virtual machine and br0 and eth0 interfaces

I installed the zentyal-ips package and it also installed the dependency suricata package. I enabled IDS/IPS and setup it on br0 then it disable all traffic (services) over LAN and suricata.service doesn't run and zentyal-ips module disabled.

When I enabled IDS/IPS and setup it on eth0 then LAN traffic enabled but suricata.service doesn't run and zentyal-ips module "Running".

I removed zentyal-ips and suricata then I install they again.
root@srv04:~# apt-get --purge remove zentyal-ips
root@srv04:~# apt-get --purge remove suricata
root@srv04:~# rm -rf /var/log/suricata
root@srv04:~# rm -rf /etc/suricata   
root@srv04:~# rm -rf /etc/default/suricata

root@srv04:~# apt-get install zentyal-ips

I checked suricata status
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Mon 2021-05-17 13:35:41 CEST; 35s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 14 (limit: 19013)
     Memory: 83.1M
     CGroup: /system.slice/suricata.service
             └─383442 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D>

máj 17 13:35:41 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:35:41 srv04 suricata[383422]: Starting suricata in IDS (af-packet) mode... done.
máj 17 13:35:41 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

I don't understand why it used suricata.yaml when /etc/default/suricata includes SURCONF=/etc/suricata/suricata-debian.yaml parameter.

I enabled IDS/IPS on Webadmin but not setup it any interface and suricata.service exited and doesn't use SURFCONF parameter
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (exited) since Mon 2021-05-17 13:38:27 CEST; 1min 4s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 0 (limit: 19013)
     Memory: 0B
     CGroup: /system.slice/suricata.service

máj 17 13:38:27 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:38:27 srv04 suricata[391965]: Starting suricata in IPS (nfqueue) mode... done.
máj 17 13:38:27 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

Can someone help me?

Thanks and Regards

webmaster

  • Zentyal Staff
  • Zen Apprentice
  • *****
  • Posts: 32
  • Karma: +2/-1
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #2 on: May 20, 2021, 01:24:03 pm »
Hello there,

Please see https://github.com/zentyal/zentyal/issues/2037 for further information. The proposed fix seems to be valid and will be integrated shortly. BR.

spst

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +3/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #3 on: May 20, 2021, 11:11:59 pm »
Hello webmaster,

thank your for the link. I now understand what this problem is and I am glad that they are already working on solving it.

Thanks and Regards

karlp

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #4 on: August 16, 2021, 07:34:14 pm »
Hey guys, I seem to be having somewhat the same issues.

After enabling Suricata, I cannot login to Zentyal remotely. After disabling it, I have connectivity restored.

I wanted to confirm that this is not a conflict with RADIUS?

gabor.strama

  • Zen Monk
  • **
  • Posts: 61
  • Karma: +5/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #5 on: October 24, 2023, 09:25:51 pm »
Hi Guys,

Somebody can help in this case, because i wish to use the IPS.

Please help!

BR,
GáborS

gabor.strama

  • Zen Monk
  • **
  • Posts: 61
  • Karma: +5/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #6 on: November 14, 2023, 04:21:47 pm »
Hi,

Somebody can help in this case?
I tried to install on a clean install, same result.
I not installed anything only suricata and same result.

BR,
GáborS

turalyon

  • Zen Warrior
  • ***
  • Posts: 203
  • Karma: +15/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #7 on: November 16, 2023, 01:03:55 pm »
Hi,

What error are you getting and what version of Zentyal are you using?



“This world is ours, and by the Holy Light we will keep it safe, now and forever".

aalvaro23

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +1/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #8 on: February 08, 2024, 12:02:43 am »
I made a fresh install(now in january 2024) of last version of Zentyal (7. ish...) and same problem persist, so any solution recommended by support?

gabor.strama

  • Zen Monk
  • **
  • Posts: 61
  • Karma: +5/-0
    • View Profile
Re: Enabling IDS/IPS stops internet on interface
« Reply #9 on: April 30, 2024, 04:14:47 pm »
Hi,

Please let me know if anybody is have any update in this case.

BR,
GáborS