OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: jds on March 07, 2020, 03:46:56 pm
-
I implemented intrusion detection a couple of weeks ago using the free rules from abuse.ch, from OPNsense and the open ones available from ETpro, if you let them gather some anonymized data from your machine. OPNsense scrubs your personally identifying information from the data that they receive, apparently. This seems a total win-win to me. My machine benefits from the protection against emerging threats, and contributes back to help identifying growing ones. It was straightforward to set up from the tutorial, and gives you lots of information, once running. I recommend it. The only ambiguous part is how many rules to implement. They can become resource heavy, if you use too many.
Of course, there could be a few improvements here. First, you do not get information about attacks from outside your network on your WAN until you add your WAN IP address to the home network. Once this number is changed by your ISP, it needs to be updated by hand again. Is that really necessary? Could that not be automated?
Is there a more artional way to choose the rules? It seems that part of the decision should be based on what is most useful to ET to know. Or really, that would be mutually beneficial.
The log files fill with lots of information. But you either scroll though and read, or download and process yourself. Graphs that are integrated with OPNsense seem ideal. It would be useful to have pie graphs that show which.ports are being most attacked, or which geolocations are the most frequent, or if there are a few IP addresses that are persistent, or which categories of attacks are common. This would also help in deciding which rules to use.
Finally, there are logs of harmless events like
suricata[3877]: [100255] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
which would be nice to remove.
Yeah, I know, it is always easy to request these endless streams of new features, but thought that the feedback might be useful anyway. Thanks for this great feature!
-
First, you do not get information about attacks from outside your network on your WAN until you add your WAN IP address to the home network. Once this number is changed by your ISP, it needs to be updated by hand again. Is that really necessary? Could that not be automated?
Not sure what do you mean...
But I agree there should be some preconfigured "templates" or something easier to select the rules
-
For clarification about WAN alerts, see his update at the bottom of [https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/ (https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)]
-
oh, I didn't know that... my WAN address is a private IP, I have another modem/router for ISP connection