Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: someone on October 15, 2024, 02:45:25 AM

Title: How I test IPS engine blocking
Post by: someone on October 15, 2024, 02:45:25 AM
How I test suricata engine rule drop
Go to Services-Intrusion Detection-Administration-User Defined
Click the plus button to make a rule
Enter 8.8.8.8 in Destination Ip
Set to drop, description Dest8.8.8.8 and save
Click make rule again
Enter 8.8.8.8 in Source ip
Set to drop, description source8.8.8.8 and save
Click apply and wait 5 minutes
Open a command terminal and enter ping 8.8.8.8 and press enter
Wait 5 seconds and press cntl c to stop
Go to alerts and the log file with box set to informational
You will see it blocked 8.8.8.8 as the destination
It never left the wan
Delete Dest8.8.8.8 rule, click apply, wait 5 minutes
Ping 8.8.8.8 again for 5 seconds and press cntl c to stop
Check alerts tab and the log file with informational box set
You will see it blocked source 8.8.8.8
Delete source 8.8.8.8 rule click aplly wait 5 minutes
You are back to normal
If you downloaded the opnsense.rules file
The rules would look like this
alert ip   8.8.8.8  any ->  any  any (msg:"8.8.8.8_source";  sid:4294967294; rev:1;)
alert ip   any  any ->  8.8.8.8  any (msg:"8.8.8.8_Dest";  sid:4294967293; rev:1;)
Notice it says any any and not $HOME_NET, not $EXTERNAL_NET
The first any is for IP, second is for port
I have a policy running to set all alerts to drop
Thats why it was blocked and because IPS is enabled
IF only IDS is enabled it would just give alerts
Thanks

Or can enter the rules in opnsense.test.rules manually
I put all my rules here because they will not be rewritten on reboot
And I save a copy to use on next installation
Title: Re: How I test IPS engine blocking
Post by: someone on October 15, 2024, 02:51:47 AM
Disregard this if you have not set $HOME_NET to any
in emerging.icmp-info.rules

Note: disable rule 2100366 first
It will alert on pings
It will block if you set it to drop
Title: Re: How I test IPS engine blocking
Post by: EleazarBauch on November 07, 2024, 08:37:36 AM
Quote from: someone on October 15, 2024, 02:51:47 AM
Disregard this if you have not set $HOME_NET to any
in emerging.icmp-info.rules Undertale Yellow (https://undertaleyellow.io)

Note: disable rule 2100366 first
It will alert on pings
It will block if you set it to drop
Entering strings of characters continuously is a bit tricky, can you explain it in more detail?
Title: Re: How I test IPS engine blocking
Post by: someone on November 12, 2024, 12:46:31 AM
I was explaining how to test if your IPS engine in suricata is working using the user defined rules in the IPS gui
That tests that the engine is running and working
It tests your new rule
It doesnt test the rulesets
Text only | Text with Images