OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: katamadone [CH] on November 23, 2018, 11:15:55 pm
-
I'd loke to enable Intrusion Detection.
So I looked under Administration, Intrusion Detection, Settings
enabled: on
IPS mode: on
Promiscuous mode: tried with on / off
Pattern Matcher: default
Interface WAN
under Download:
I marked all, enabled all
Download & Update Rules (Abuse.ch seem to have some problems, but URLHaus was updated)
at all Abuse.ch I set the filter to "Drop"
and so far I went to the list urlhaus.abuse.ch/ and decided to go for the https://urlhaus.abuse.ch/url/83455/ to test.
But the traffic was not dropped.
Thx in advance
-
(https://image.ibb.co/cPdAFV/grafik.png)
(https://image.ibb.co/h7a1NA/grafik.png)
-
Hi chsu83,
You say you enabled everything, but your screenshot does not show any enabled rules. Is that the problem you are reporting?
If you want to double-check, you can go to the Rules tab and check the individual rules to make sure they are really enabled and set to drop.
Side note on IPS/IDS rules: It's a bad idea to enable all the rules indiscriminately. Even if you have a very powerful CPU, with lots of memory, it does not make sense to check your traffic for protocols you are not using. It's a waste of resources, and it will only slow down your traffic.
No two networks are alike, and the IDS rules need to reflect that. Consider how risk-averse you are. If you want to block only traffic that you are positive is bad, then you need to choose "low noise" rules. If, on the other hand, you want to block anything and everything that looks like bad traffic, then you can enable more rules, especially the new ones. New rules usually reflect the current trends in malware and attacks, but because they are new, they may need to be properly tuned to reduce false-positives.
Unfortunately, there are no good resources online for rule selection. You will need to start experimenting with your own network. Try to read the documentation provided by the rule creators. Also, in general, if you are not going to do anything about a certain alert, or type of alert, you should not turn it on. There are lots of rules that are only meant to alert their admins that there are certain types of traffic in their networks. Setting those rules to block will create your own DoS, which is undesirable.
Sorry for the detour. As a final note. If you want to troubleshoot the IPS capability. I would suggest enabling only one rule. One that you are sure you can trigger on command. If that works, keep enabling rules and test them, if possible. Look at the logs and make sure there aren't any rules that cause suricata to stop processing traffic, or that give errors. If you do find errors, fix them before proceeding, or disable the offending rules.
HTH
-
Hey secaficionado,
Sorry missed an important thing:
marked all & enabled - there I meant all abuse.ch - sorry for that.
That's also what I tried to test then with the entry https://urlhaus.abuse.ch/url/83455/ . Because so far I understand this should then be blocked.
But as you said, a more granular check: I looked in the "Rules" tab especially and selected the first abuse.ch/urlhaus rule where I verified that the action is also drop. And this first rule is:
(https://i.ibb.co/nmHn8jv/image.png)
and in abuse.ch on this https://urlhaus.abuse.ch/url/114/ the url http:**motifahsap.com*asjkbwn.exe is listed, so as far as I understand this url / download should then be blocked.
-
I had an issue with abuse.ch/URLhaus, there was an error in a rule and the IDS engine didn't start. (see logs under Intrusion Detection) I found mentions of this behaviour for eatlier versions of OPNSense.
I fixed by re installing and NOT choosing abuse.ch sorry for not knowing a better method).
The abuse.ch/Dyre SSL IPBL also doesnt seem to download, although no errors in the log and IDS seems to be working.
-
I had an issue with abuse.ch/URLhaus, there was an error in a rule and the IDS engine didn't start. (see logs under Intrusion Detection) I found mentions of this behaviour for eatlier versions of OPNSense.
I fixed by re installing and NOT choosing abuse.ch sorry for not knowing a better method).
The abuse.ch/Dyre SSL IPBL also doesnt seem to download, although no errors in the log and IDS seems to be working.
i had the same experience with the list abuse.ch/URLhaus. Can one developer delete the list?
-
I have also noticed other errors in the abuse.ch rules. I have excluded them and re downloaded and updated.
Speedtest.net reports nearly full speed of my 100/40 Mbs link now, with the abuse.ch rules, I would get 19/5 if I was lucky.
Also, the block rules for GeoIP blocks dont seem to be working. As I can attempt to browse to a Countries IP address (from external GeoIP database) and NO blocks. I will do more testing and see if I can find anything else out.
P.S.
Using an IP from the DSHield block.txt , alerts as dropped. Works as expected.
GeoIP blocking does NOT seem to work any more.
rule. GeoIP country, Rusia, action, drop, direction both. ping tv.ru (hosted moscow, 62.105.38.7) NO Alert.
Any Ideas anyone?