Author Topic: Challenge: Alert on Firewall block - is this possible currently? (Read 2088 times)

zaggynl · « **on:** October 05, 2018, 09:10:52 pm »

So first I tried setting up IDS with GeoIP block of Traffic to China and Russia, no blocking or alerts happened with Intrusion Detection and IDS enabled.

Made a Firewall LAN rule that blocks outgoing traffic to GeoIP of China and Russia.
That blocks, yay!

As for alerts:
I've setup a Monit Service Test with:

content = " 84,,, "

Which is the number of the rule used as found out by:

ping rutube.ru, resolves to: 185.165.123.77

cat /var/log/filter.log | grep 185.165.123.77
or
grep " 84,,," /var/log/filter.log

Oct 5 20:26:56 router filterlog:
84,,,0,igb0,match,block,in,4,0x0,,64,24176,0,DF,1,icmp,84,192.168.1.228,185.165.123.77,datalength=64

I've set up a Service like so:

Type: File
Path: /var/log/filter.log
Test: <name of Monit Service Test>

No alerts appear in my mailbox, I do see the message that Monit restarted.
Status page of Monit also shows no content matches
What am I missing?

Sources I looked at:

https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST
https://forum.opnsense.org/index.php?topic=5303.0

nospam · « **Reply #1 on:** October 06, 2018, 04:35:50 pm »

IDS -> User Defined -> Add Rule

GeoIP/Country: your blacklist here
GeoIP/Direction: Source
Action: Drop

Then Apply

Works for me and events get logged under IDS -> alerts

I personally wouldn't want email alerts for this unless you want to watch a flood of emails choke your inbox

zaggynl · « **Reply #2 on:** October 07, 2018, 08:05:30 pm »

Thanks for the reply, I tried below settings but a ping to for example rutube.ru does not get blocked by IDS, whereas it does with Firewall rules:

zaggynl · « **Reply #3 on:** October 12, 2018, 03:02:20 pm »

nospam · « **Reply #4 on:** October 12, 2018, 03:55:35 pm »

Under Interfaces I have LAN only and ENABLE SYSLOG ALERTS
Under GeoIP/Direction I have SOURCE

PING rutube.ru (185.165.123.77): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

PING 185.165.123.1 (185.165.123.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Is your Intrusion Detection service running? Check under dashboard

zaggynl · « **Reply #5 on:** October 13, 2018, 12:17:45 pm »

Changed IDS settings to below, enabled syslog alerts, changed interfaces to LAN only

Dashboard shows Suricata running:

Ping stats look weird:
Rutube.ru

Code: [Select]

64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=1 ttl=57 time=851 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=2 ttl=57 time=9.70 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=1 ttl=57 time=1853 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=9.53 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=70.9 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=941 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=4 ttl=57 time=9.74 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=1161 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=4 ttl=57 time=953 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=2319 ms (DUP!)

Google DNS:

Code: [Select]

64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=2.76 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=1344 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=11 ttl=122 time=2679 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=903 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=14 ttl=122 time=2.76 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=2156 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=1160 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=2394 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=11 ttl=122 time=3779 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=1802 ms (DUP!)

Edit:
Ping results returned to normal after disabling IDS:

Code: [Select]

64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=38 ttl=57 time=10.1 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=39 ttl=57 time=9.57 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=40 ttl=57 time=9.62 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=41 ttl=57 time=9.66 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=42 ttl=57 time=9.74 ms

nospam · « **Reply #6 on:** October 17, 2018, 02:30:43 pm »

Try either a reset to defaults or re-install everything from scratch. Something isn't right on your system.

zaggynl · « **Reply #7 on:** October 18, 2018, 10:20:24 pm »

-Backed up config
-Reset to defaults
-Restored config
-no more duplicate pings but still no IDS warnings or blocking

Author Topic: Challenge: Alert on Firewall block - is this possible currently? (Read 2088 times)

zaggynl

Challenge: Alert on Firewall block - is this possible currently?

nospam

Re: Challenge: Alert on Firewall block - is this possible currently?

zaggynl

Re: Challenge: Alert on Firewall block - is this possible currently?

zaggynl

Re: Challenge: Alert on Firewall block - is this possible currently?

nospam

Re: Challenge: Alert on Firewall block - is this possible currently?

zaggynl

Re: Challenge: Alert on Firewall block - is this possible currently?

nospam

Re: Challenge: Alert on Firewall block - is this possible currently?

zaggynl

Re: Challenge: Alert on Firewall block - is this possible currently?