Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: Coarch on April 26, 2021, 05:48:36 pm

Title: Enabling IDS/IPS stops internet on interface
Post by: Coarch on April 26, 2021, 05:48:36 pm
Zentyal 7.0

Enabling the IDS/IPS module on the outgoing ethernet interface disables internet traffic.  Has anyone seen this happen before?  Any ideas?
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: spst on May 17, 2021, 02:30:49 pm
Hello,

I have a similar problem. Zentyal 7.0, suricata 6.0.2, zentyal-ips 7.0.0, used virtual machine and br0 and eth0 interfaces

I installed the zentyal-ips package and it also installed the dependency suricata package. I enabled IDS/IPS and setup it on br0 then it disable all traffic (services) over LAN and suricata.service doesn't run and zentyal-ips module disabled.

When I enabled IDS/IPS and setup it on eth0 then LAN traffic enabled but suricata.service doesn't run and zentyal-ips module "Running".

I removed zentyal-ips and suricata then I install they again.
root@srv04:~# apt-get --purge remove zentyal-ips
root@srv04:~# apt-get --purge remove suricata
root@srv04:~# rm -rf /var/log/suricata
root@srv04:~# rm -rf /etc/suricata   
root@srv04:~# rm -rf /etc/default/suricata

root@srv04:~# apt-get install zentyal-ips

I checked suricata status
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Mon 2021-05-17 13:35:41 CEST; 35s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 14 (limit: 19013)
     Memory: 83.1M
     CGroup: /system.slice/suricata.service
             └─383442 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D>

máj 17 13:35:41 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:35:41 srv04 suricata[383422]: Starting suricata in IDS (af-packet) mode... done.
máj 17 13:35:41 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

I don't understand why it used suricata.yaml when /etc/default/suricata includes SURCONF=/etc/suricata/suricata-debian.yaml parameter.

I enabled IDS/IPS on Webadmin but not setup it any interface and suricata.service exited and doesn't use SURFCONF parameter
root@srv04:~# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (exited) since Mon 2021-05-17 13:38:27 CEST; 1min 4s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 0 (limit: 19013)
     Memory: 0B
     CGroup: /system.slice/suricata.service

máj 17 13:38:27 srv04 systemd[1]: Starting LSB: Next Generation IDS/IPS...
máj 17 13:38:27 srv04 suricata[391965]: Starting suricata in IPS (nfqueue) mode... done.
máj 17 13:38:27 srv04 systemd[1]: Started LSB: Next Generation IDS/IPS.

Can someone help me?

Thanks and Regards
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: webmaster on May 20, 2021, 01:24:03 pm
Hello there,

Please see https://github.com/zentyal/zentyal/issues/2037 for further information. The proposed fix seems to be valid and will be integrated shortly. BR.
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: spst on May 20, 2021, 11:11:59 pm
Hello webmaster,

thank your for the link. I now understand what this problem is and I am glad that they are already working on solving it.

Thanks and Regards
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: karlp on August 16, 2021, 07:34:14 pm
Hey guys, I seem to be having somewhat the same issues.

After enabling Suricata, I cannot login to Zentyal remotely. After disabling it, I have connectivity restored.

I wanted to confirm that this is not a conflict with RADIUS?
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: gabor.strama on October 24, 2023, 09:25:51 pm
Hi Guys,

Somebody can help in this case, because i wish to use the IPS.

Please help!

BR,
GáborS
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: gabor.strama on November 14, 2023, 04:21:47 pm
Hi,

Somebody can help in this case?
I tried to install on a clean install, same result.
I not installed anything only suricata and same result.

BR,
GáborS
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: turalyon on November 16, 2023, 01:03:55 pm
Hi,

What error are you getting and what version of Zentyal are you using?



“This world is ours, and by the Holy Light we will keep it safe, now and forever".
Title: Re: Enabling IDS/IPS stops internet on interface
Post by: aalvaro23 on February 08, 2024, 12:02:43 am
I made a fresh install(now in january 2024) of last version of Zentyal (7. ish...) and same problem persist, so any solution recommended by support?