Hi, hope all is well.
I am having an IPS issue - endpoint not loading google, bing and facebook. Browser just spins.
Specifics of my environment-
I have 2 IP fire servers -each running (bare metal) on a dedicated DL360 G7 server. One is for guest traffic and the other is for the rest of the environment. They go out separate internet circuits.
I always upgrade the guest first, and then the main network ipfire.
The upgrade on the guest firewall went well, except google.com, facebook.com and bing.com are no longer loading. Turning off IPS fixes the problem. But, I am not seeing an IPS log entry for these devices. IPS shows other logs, but not the google,bing and facebook blocks.
Here is a quick list of info about the environment.
*DL360 G7 servers. dual proc, 24gb ram. sas drives - array.
*IPS enabled on RED only.
*All ips rule providers selected EXCEPT threatfox. Custom rule sets have been selected. (understand this takes CPU).
*Both firewalls use the identical ips rules and custom ips rule selection.
*Guest firewall used the same set of ips rules before the upgrade.
*Guest network getting to all sites worked fine before going to ipfire192.
*Main network firewall uses the same set of IPS rules and custom settings as guest. The main network has NO problems with getting to google, bing, or facebook.
*The only difference at this point between the two appear to be the version upgrade of IPfire from 187 to 192.
The simplest way is to start with all of the providers in your list disabled and turn one at a time on and check for which ruleset provider the problem starts with.
Then for that ruleset provider disable each of the rulesets that you have enabled, one at a time, and check at which point the problem stops.
Then you can either disable that ruleset completely, or you can look through all the rules enabled for that ruleset and see if any are related to google, bing etc.
You can show the rules for that ruleset in the IPS WUI page and then do a search with your browser search menu option for google or bing or facebook.
Do all the ruleset providers have the same update date/time. It could be that one has had an update on the rulesets and the other not.
The Talos and Snort rulesets seem to not get logged. They are written to work with Snort and not with Suricata. Most of the rules will work with both but it is known that some of the snort/talos rules fail on suricata because of some syntax difference between the two signature definitions.
It seems that another difference is that the logging does not work as expected. At least for the Talos VRT for registered users, I have confirmed no logs at all even with rules enabled that I would expect to trigger. Haven’t been able to find any reason why there are no logs but then I am not an expert on the snort and suricata signature syntax definitions.
Suricata has been updated twice in the Core Updates between 187 and 192 but in neither of those updates did I have any problem with accessing google. However I only use the Emergingthreats.net Community Rules provider and then a selected set of the rulesets appropriate to my setup.
Thank you (many thanks) for the info. I have snort rules and suricata. And i checked both. Its the suricata rules causing the issue. I removed google, facebook, bing and the issue went away. But, im not sure why it was dropping those sites in 192.
