12111 – Suricata does not inspect traffic from OpenVPN networks

Bug 12111 - Suricata does not inspect traffic from OpenVPN networks

Summary: Suricata does not inspect traffic from OpenVPN networks

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	all All

Importance:	Will affect most users Security
Assignee:	Stefan Schantl
QA Contact:	Peter Müller

URL:
Keywords:	Security

Depends on:
Blocks:	SURICATA2.0
	Show dependency tree / graph

Reported:	2019-07-04 17:34 UTC by Peter Müller
Modified:	2020-01-30 10:26 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Müller 2019-07-04 17:34:06 UTC

At the moment, Suricata inspects traffic from IPsec connections as they are routed via RED. However, it does not observe anything on OpenVPNs tun0 interface - traffic from remote OpenVPN RW/N2N connections will not be scanned.

Comment 1 Stefan Schantl 2019-12-16 10:02:01 UTC

https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=896840eaf295996cba86a47a4cb38f401d2c692f

Comment 2 Michael Tremer 2019-12-16 11:04:49 UTC

(In reply to Stefan Schantl from comment #1)
> https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;
> h=896840eaf295996cba86a47a4cb38f401d2c692f

I do not entirely agree with the patch:

a) You are only scanning RW
b) You check if the OpenVPN daemon is running and you should always add the subnets even if the daemon is not running

Would have been better to comment on the mailing list :)

Comment 3 Stefan Schantl 2019-12-17 11:58:44 UTC

Hello Michael thanks for your feedback.

You are right, commenting on the ML is much easier. I'll send a new patch directly to the mailing list.

Comment 4 Stefan Schantl 2019-12-17 12:08:41 UTC

Patch has been sent to the development mailing list:

https://patchwork.ipfire.org/patch/2649/