Which IPS/DPS rukes do all you prefer? Im a newbie btw
None. IDS/IPS is snake oil.
First why you look like tecak lol and secondly why do you say that?
https://forum-opnsense-org.translate.goog/index.php?topic=39446.msg193260&_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp#msg193260
Patrick is right on the money with this opinion.
Think of it this way: Just out of caution, you would have to activate all IDS rules first, just in case any trojan or virus exhibits a behaviour that the IDS might detect. Of course, there may be many attack patterns which are not even considered even by existing rules - how should we know?
Then, you will notice that some rules fire and cause warnings (be sure not to activate IPS yet, or else you will be offline!). Then, you will have to evaluate if a threat really exists or if it was a false alarm. In the latter case, you would have to disable that rule, because if you let it active and switch on IPS later on, it will potentially block legitimate traffic.
This a a cat-and-mouse game which you will never win, because with auto-updating rules, you may still find yourself in an uncomfortable position later. On the other hand, nobody guarantees that every threat will even be caught by this.
Well im sorry but im a newbie i cant be like "oh this traffic looks bad lets MANUALLY BLOCK IT" i want someone to do this automatically
But your firewall already blocks everything from outside in.
Don't you trust your internal devices? I do.
Then as I wrote in that other German thread - there's blocklists and Crowdsec.
What I tried to explain and what you obviously did not get is that the provided IDS/IPS rules from which you can choose have errors of first and second degree.
That means: 1) there may be things they do not catch and 2) there will be false alarms that may cripple your experience because these rules would block legitimate traffic if IPS is enabled.
The first order problems are not of your concern, since if you did not enable IPS at all, these unmitigated attacks would get unnoticed as well. However: do not expect perfect protection from an IPS.
Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?
In order to avoid this, you will have to see which false alarms occur in your specific situation, i.e. with the services you actually use. We do not know, so either you invest the time or pay someone to do it for you. There is no "one size fits all" or "automagical" approach here. You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.
If you neither want to invest the time yourself nor pay someone to do it, you are facing the question: "Do I want to risk crippling my internet connection for a mechanism I do not fully understand and which cannot reach 100% efficiency anyway?"
With Crowdsec, you may be getting the most of what you obviously want: You relay your decicions to the crowd, hoping that they have a similar use pattern as you and that the same rules are applicable for you, too. Whether that is true, depends largely on what your or others have in common w/r to the vulnerabled devices in question.
I just limit those devices to a separate VLAN, because then, I do not have to trust them.
Quote from: Patrick M. Hausen on May 09, 2024, 01:01:24 PM
But your firewall already blocks everything from outside in.
Don't you trust your internal devices? I do.
Then as I wrote in that other German thread - there's blocklists and Crowdsec.
No not quite i dont trust my internal devices as they are infected
Quote from: meyergru on May 09, 2024, 01:04:02 PM
What I tried to explain and what you obviously did not get is that the provided IDS/IPS rules from which you can choose have errors of first and second degree.
That means: 1) there may be things they do not catch and 2) there will be false alarms that may cripple your experience because these rules would block legitimate traffic if IPS is enabled.
The first order problems are not of your concern, since if you did not enable IPS at all, these unmitigated attacks would get unnoticed as well. However: do not expect perfect protection from an IPS.
Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?
In order to avoid this, you will have to see which false alarms occur in your specific situation, i.e. with the services you actually use. We do not know, so either you invest the time or pay someone to do it for you. There is no "one size fits all" or "automagical" approach here. You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.
If you neither want to invest the time yourself nor pay someone to do it, you are facing the question: "Do I want to risk crippling my internet connection for a mechanism I do not fully understand and which cannot reach 100% efficiency anyway?"
With Crowdsec, you may be getting the most of what you obviously want: You relay your decicions to the crowd, hoping that they have a similar use pattern as you and that the same rules are applicable for you, too.
Well i know there is no perfect protection but doesnt ids ips add a layer?
Yes, this adds a layer. I quote myself:
Quote from: meyergru on May 09, 2024, 01:04:02 PM
Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?
...
You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.
Just try.
Nah i dont have to try because after five minutes with ips and all ids rukes on my connection gets cut and i have to reboot all services lol
I have two more questions thiugh that have nothing to do with this post but as you are online i will shoot my shot. So i run opnsense at proxmox and at the proxmox installation it asks me for a gateway. But my gateway is opnsense that runs in proxmox . Also my mini pc (server) has four ethernet ports and one of them is for accessing proxmox and the two others are lan and wan of opnsense . Does it matter if the proxmox gateway ip matches the lan ip of opnsense as they are at different ports or does it matter because they are on the same switch? Also second question. Can i use a port like opnsense lan for another vm to advertise it through the same port? Like truenas?
My experience with suricata has been that whenever I get an alert, it is impossible for me to tell if it's a real issue because most of time the data is encrypted. So then I simply disable the alert as a false positive, and rinse and repeat for all new alerts.
Even if it's not encrypted, it's still a massive chore to figure out what it is...
Going to turn it off and look into crowdsec instead.
Start with the defaults until you learn more. No such thing as a false positive.All my alerts are set to block.You dont need to see the data to determine the packets motive. Hope that helps.
I basically agree with Patrick, but if you want to do it, there are rules I would activate without too much problems - for example the abuse.ch rules. You should definitely not activate all the rules.
One - IDS > IPS - mainly because detection is inherently fault prone, blocking needed traffic means issues
Two - Enabling IDS rules via Policies in OPNSense's Policy management is okay
Three - Suricata has its own rule management detail that is already and installed and can be switched to
Switching to Suricata-Update from OPNSense's Policy Based IDS/IPS Rule Management - Using Suricata-Update on OPNSense (https://www.nova-labs.net/using-suricata-update-on-opnsense/)
Also created a Github repo for Suricata-Update Config Files (https://github.com/j0nny55555/noiseless-suricata-update/) to give some actual SIDs/Regex that I use in my suricata-update runs - note - this repo has an update that I'm still finalizing, ah the to-do lists. The update isn't too major, just more disable, possibly one or two enable items and some modify rules that fix rule text issues I've found.
Four - There are likely bots/script-kiddies and zero if any VERY Unlikely APTs that are interacting with your IP. Blocking the script kiddies/inventory-the-internet traffic 'could' lighten the network load.
Five - Doing this without some level of data lake is not for the faint of heart, and data lakes aren't necessarily easy either but can work for focused searches / pattern checking. Graylog/Elastic/etc. can all be great places to send your syslogs (firewall/system/suricata) so you know about what's going on and if a rule modification is going to focus your IDS/environment more.
Six - This is really useful if you are actually hosting services, if there isn't anything being port forwarded into your network, then your IDS events will be few if any and mostly generated by your users. Most of the local user traffic based rules are extremely fault prone and of honestly little use. Enabling any Nginx/Apache/PHP/Wordpress/MySQL/Mariadb rules if you have a web host is easily a good idea.
Seven - The completeness number, neat. Encryption is a thing, and SSL/TLS/Encrypted traffic is of little use for IDS inspection, it won't be able to 'read' any other otherwise protocol/app level text/packet detail. If you are terminating the TLS for your hosted services using your Reverse Proxy in some DMZ zone and one or more Web Hosts in some Core zone, and have the proper setup (Reverse Proxy/Web Host/IDS) with XFF and as mentioned the back end services which must be set apart in a different interface/subnet/zone of your OPNSense, now you can read attacks inbound to your otherwise secure hosted Web Site(s) as the IDS can actually see it in the 'decrypted' traffic between the Reverse Proxy and the Web Host and inspect it. Your users' outbound/browsing activity is the hardest one to access, and requires you setup an internal CA PKI and install the Certs on your devices and setup it upon the Suricata... and it will eat your CPU alive I bet. Haven't done it, yet, might not ever lol.
If you are filtering/securing DNS, having IDS notice what is actually unwanted, have a Reverse Proxy in the mix, and using another OPNSense plug-in called CrowdSec, you can inspect your firewall logs and the Suricata logs to detect threats, and it will block them if they reach a threshold and then you can actually provide some level of 'corporate level network protection' for your network (Lite-NG-Firewall/Responsive-IDS/WAF/DNS-Filtering). It can turn a Reverse Proxy into a reactive WAF of sorts, impressive stuff. The CrowdSec block can work for all of your integrated Multi-Server setup (Agents - Parsers/Blockers/Appsec) and everyone else that uses CrowdSec depending on how you set it up (stay an island / share w/community).
CrowdSec can be a task to install, especially if you start growing it to be a Multi-Server setup but to say it is easily a catalyst to change the otherwise 'only logged' activity from your IDS into responsive action would be an understatement. Similar to Fail2ban or AbuseIPDB, but quite a bit more.
If you are sending data to them, you get larger access to their Community blocklist, mine is sitting at about 40k known threat IPs (HTTP/SSH/bots/etc.).
About that setup: CrowdSec Multi-Server with OPNSense Router (https://www.nova-labs.net/homelab-opnsense-crowdsec-multi-server/)
Lastly, I did write up how to enable mostly useful rules in OPNSense's Policy Management UI (https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/) - but would earnestly recommend learning about suricata-update and familiarizing yourself enough with FreeBSD and where the folders are to 'switch over' to doing it with Suricata's native tool.
Yes use default rules until your skill level increases
There are no wrong blocks, thats a maintenance issue on the user
Yes I would run IPS rules
You need them to block attacks toward you and from them attacking others through your computer
Not counting data breaches, spreading malicious forms of attack, etc
Most people will never reach those skill levels, Im just a newb
I deal with them most every day