OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: romans6 on April 06, 2019, 06:29:22 pm

Title: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: romans6 on April 06, 2019, 06:29:22 pm
Kinda scratching my head at OPNSense's IPS. I am coming from 4+ years of PFSense. Thought the free ET rulesets from ProofPoint sounded great. Would love to use them.

Context -
Using PPPoE - Broadband
Using VLAN tagging to talk to the ONT on the side of my house
Tokens and OinkCodes are all working and valid
Enabled: Intrusion Detection
Enabled: IPS Mode
Enabled: Promiscuous Mode - Due to VLAN and IPS like helps says
Enabled: Syslog Alerts - So I can see if the rules work and tune if needed
Pattern Matcher: Hyperscan - Faster, but also tried Aho
Interfaces: WAN - For now

1. Not seeing anything under alerts. In PFSense I would see rules as they are hit.
2. Download tab - "Super Easy" to select and enable all and download.
3. Rules tab - Great I see all my rules and can choose to enable.

Q 1: Why Don't I see anything under alerts?
Q 2: Is there an easy way to set DROP to all on the download tab?
Q 3: Is there an easy way to set DROP to all on the rules tab? Not all in the view by clicking next to SID by 10 - 1000 but "ALL" as in all 49000+. This is where PFSense shines.
Q 4: Is there an easy way to "Enable" all in the rules tab akin to the DROP all question. By all I mean all 49000+. Again this is where PFSEnse shines.
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: chemlud on April 06, 2019, 06:38:50 pm
PPPoE - suricata - IPS might be the problem

https://forum.opnsense.org/index.php?topic=3630.0

?
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: romans6 on April 06, 2019, 07:06:48 pm
That example talks about an old version. I am on v19. No chatter since Jan 2018. Wonder if they are still having problems.

I was using PPPoE with Surricata on PFSense just fine dunno why OPNSense doesn't like it.

Well back to PFSense until OPNSense fixes it. I really love the UI. Bummer I can't use it with PPPoE.

Still wondering about Bulk enable/block. Anyone have any insight on that?
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: chemlud on April 06, 2019, 08:21:55 pm
IMHO there is no suricata with IPS in pfsense. IDS is doing fine on both senses...
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: hbc on April 06, 2019, 10:07:37 pm
Q 2: Is there an easy way to set DROP to all on the download tab?

Just edit the ruleset on download tab and set policy to drop all alerts. Then all rules have drop action. Pretty easy.

(https://forum.opnsense.org/index.php?action=dlattach;topic=3708.0;attach=1125)
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: romans6 on April 07, 2019, 12:21:07 am
IMHO there is no suricata with IPS in pfsense. IDS is doing fine on both senses...

@chemlud Let me know if you want to know how to actually enforce IPS on PFSense using VLAN/PPPoE until they get it working on OPNSense. Would love to help. Was hoping to switch over to OPNSense.

Screenshots Here:
(https://i.ibb.co/W6HpLHy/PPPoE.jpg)
(https://i.ibb.co/PzQ0jqy/Suricata-Block.jpg)
(https://i.ibb.co/X5gk6RF/Suricata-Enabled.jpg)
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: franco on April 07, 2019, 12:13:00 pm
pfSense with Netmap has the same issue on PPPoE as far as I know. Your view of "it should be the same" is not rooted in a technical comparison of the settings deployed against Suricata and FreeBSD even though your expectation is the same. To me it even points to an issue with how "IPS" is being advertised in both products so that you think the one is what the other does but technically simply isn't.


Cheers,
Franco
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: romans6 on April 08, 2019, 02:08:40 am
OPNSense looks solid. Let me know if anything changes. Can't wait to use it with my setup.
Title: Re: IPS not showing alerts and Mass IPS DROP/Rule Enable? - Coming from PFSense
Post by: neoso on July 09, 2019, 06:57:23 pm
My version of OPNSENSE is:

 OPNsense 19.1.10-amd64

WAN: PPPoE

Settings:
Enabble X
IPS Mode X
Promiscuous mode  X
Pattern matcher:  Hyperscan
Interfaces : WAN ( PPPoE)

The problem is in the alerts and logs is Empty.

The problem is the same in older versions of Suricata taht not inspection with Interface Wan is PPOE???

Any idea for solved this?


Thx