OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: nghappiness on June 29, 2023, 05:48:31 pm

Title: Order of operation
Post by: nghappiness on June 29, 2023, 05:48:31 pm

Hello,

I setup Suricata to monitor my wan interface.  I got these alerts,

Code: [Select]

2023-06-29T07:17:41.257635-0700 2011716 allowed 162.240.78.231 5060 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:14:59.087306-0700 2011716 allowed 45.134.144.57 5119 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:14:59.087306-0700 2008578 allowed 45.134.144.57 5119 my.wan.ip.addr 5060 ET SCAN Sipvicious Scan
2023-06-29T07:13:39.864465-0700 2011716 allowed 45.93.16.217 5128 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:13:39.864465-0700 2008578 allowed 45.93.16.217 5128 my.wan.ip.addr 5060 ET SCAN Sipvicious Scan
I don't have any inbound rule which allow TCP or UDP port 5060 at all.  What is the order of operation in OPNSense?  Is the packet get inspected by IPS before firewall rule?

If the traffic is going to get deny by the firewall rule.  There is no reason to get inspected by IPS at all.

Thanks in advanced.

Title: Re: Order of operation
Post by: Patrick M. Hausen on June 29, 2023, 06:59:08 pm

1. Yes. IDS/IPS before firewall rules.
2. Then you don't need an IPS, apparently. I have always wondered what the hype was about. A closed port is closed, if some Russians like to throw packets at it, why should I care?
3. Therefore I run Suricata on my internal interface that serves my publicly reachable services and not on WAN.

Title: Re: Order of operation
Post by: nghappiness on June 29, 2023, 07:15:44 pm

Hello pmhausen,

Thanks for confirming it and agree with your point #2 and #3.    I am testing Zenarmor on the internal interfaces at this point. 

I am hope I can use Suricate to monitor both in and out direction traffic as well.