I am trying to understand the IDS/IPS concept in more detail (I only have a basic idea, not specific, but I'm now going to turn this on at some point). I am using NAT.
As far as I understand it, in / out is defined per interface. So, traffic from the internet to an internal machine is 'in' on the WAN interface and 'out' on the LAN interface. Am I correct?
So, if I want to detect for instance compromised internal systems on the LAN, I would need 'in' rules on the LAN interface. Correct? I could also use 'out' on the WAN interface, but then I lose whatever I know about which internal system is compromised because of NAT. Correct?
And if I want to detect incoming bad stuff, I need to detect it in the 'in' traffic on the WAN interface. Or I can detect it on the 'out' traffic on the LAN. Is there a difference (it seems to me that NAT is not a real problem, but I might be missing something here)?
Is there some tutorial what to do to get a basic IDS running? Like, a standard recipe of which ruleset to apply on which interface?
How about a search on the internet for some of the many articles on this subject? Try the following search and you'll get everything you need: "how to" IDS/IPS opnsense
Quote from: gctwnl on November 25, 2022, 06:43:34 PM
As far as I understand it, in / out is defined per interface. So, traffic from the internet to an internal machine is 'in' on the WAN interface and 'out' on the LAN interface. Am I correct?
Yes, each interface has an in and an out, and each has nothing to do with any other interface.
LAN IN, traffic generated from the network attached to the LAN interface.
LAN OUT, traffic from the LAN interface to the network attached to the LAN interface.
So you are correct that traffic from the internet is IN on the WAN, and OUT on the LAN.
just don't confuse the WAN OUT as being traffic to the LAN IN as most people do.
Quote from: phoenix on November 25, 2022, 08:19:23 PM
How about a search on the internet for some of the many articles on this subject? Try the following search and you'll get everything you need: "how to" IDS/IPS opnsense
Of course I spent quite a bit of time searching and reading before asking, but from my perspective what I read required me to understand it already (this is true for most documentation as it is generally written by engineers who understand it very well alreay and who may have a hard time understanding non-understanding :-)). That goes for OPNsense documentation, which was the first I read (and the first hit) as well.
Still, your reply did actually help because I looked again and somehow I had missed the
how-to in OPNsense documentation itself (https://docs.opnsense.org/manual/how-tos/ips-feodo.html#ips-sslblacklists-feodo-tracker (https://docs.opnsense.org/manual/how-tos/ips-feodo.html#ips-sslblacklists-feodo-tracker)). Which brings me back to what I don't quite understand yet: that how-to attaches the ruleset to the WAN interface. But I'm looking for an example that attaches to the LAN interface and inspects mostly outgoing stuff.