OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: rc222 on March 30, 2020, 09:27:36 pm
-
The interface and GUI I have realized is horrible. This is why I, after reading tons of articles on suricata, the manual, all this stuff- none of it worked.
what I did is enable the rules in
<-- assumes- you DL'ed the rules you wanted and paid for or applied to any ones that required licensing. -->
Services: Intrusion Detection: Administration> rules
What I had to do is enable all the rules kind of manually.
change the view number of rules drop down to 1000, then check the "sid" check box, selecting all the 1000 rules- then scroll to the bottom click enable selected, and drop, then wait forever after its done, click apply.
for me this fixed it, the 22k rules I have and now in the logs I have all sorts of info.
bonus, go to
Services: Intrusion Detection: Administration> rules
and do a search filter for:
DELETED
these are old rules, and not used rules- but if they are enabled, I don't know if it has any effect on system resources or not- maybe someone can chime in....
anyway, I just pick 1000 again and check sid, then scroll to the bottom and click disable after that's done hit apply, then go thru the next page, if any to see if it applied the disabled to those as well.
-
One thing can not be "horrible" by itself, so we need to know your point of reference to see what "horrible" actually means in terms of improvement. For good measure I'm adding the docs here to avoid the situation where "something horrible" actually is just "something" that is documented in a certain way. ;)
https://docs.opnsense.org/manual/ips.html
Cheers,
Franco
-
Horrible= badly designed.
a hair away from going to PFsense, badly designed. More descriptive?
-
Ah yes, now it's all clear. 8)
-
Ah yes, now it's all clear. 8)
Well you have to admit that to facilitate flexibility and troubleshoting it doesn't help to have a few suricata options exposed in the interface, and a quite poor log management.
So Suricata (or snort) in pfsense has hundreds of settings and posibilities exposed to the interface, while in opnsense is basically the basic stuff, on and off and a few more settings
Just take a look to all the documentation related to snort and all the settings and posibilities available.
https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort
Then you have this forum full of people complaning that can not do this or that, or can not troubleshoot a problem, or can not customize a setting, or something is not working...
-
Let's agree to disagree. Our implementation is different for what we believe are very good reasons. People who are able to configure an ids from scratch might value hundreds of options, a lot of other people really like a machine properly configured by default. (yes, we do receive quite some feedback about the simplicity)
If functionality is missing, we're always open for discussions, as long as one can describe what it should do and why one would want it. Quite some new functions (also in our IDPS) originate from these ideas.
Our documentation has the same philosophy in mind https://docs.opnsense.org/manual/ips.html
Obviously there's always room for improvements, just open a PR to discuss changes in our docs repo (https://github.com/opnsense/docs/pulls), ask for features or contribute code (https://github.com/opnsense/core).
Best regards,
Ad
-
I'm not critizicing the proyect, in fact I give you all thanks for what you are doing, I was just giving my opinion after following this proyect and forum for years.
For example if you want an idea, I would love to have something like this in opnsense and I think a lot of people would appreciate it, and it will provice much more added value and "customer" value percepcion to the current IPS implementation.
https://github.com/StamusNetworks/scirius
I don't know how hard or easy would be to merge this in opnsense since it's open sourced.
Another example would be to know what you plan to do with Suricata's JA3/JA3S support, TLS/SSL and newest protocol anomaly detection capabilities... are these enable? are these in the interface available?, considering that most people doesn't offload the SSL traffic this must be a priority
-
Our reporting is limited indeed, we generally advise to use other solutions for statistics, most of these solutions utilise the ELK stack, which is quite heavy (in load and dependancies) and can easily be dispatched on a separate box (either using syslog or filebeat).
A lot of companies split their SIEM system (ELK or other) to another node anyway, since it often reports over multiple sources to get a better understanding how threats react. Security Onion does very interesting things in that area for example.
One can always develop a plugin for additional reporting in OPNsense, it's unlikely we'll integrate some database in core at the moment due to the various use-cases of OPNsense.
-
Well probably sensei will take care about this, but rule and policy management has a lot of space for improvement.
-
I know this is mostly opinion and preference, but may I ask why -- with a working solution at hand -- there is a need to make OPNsense into something it is not?
In my view there is a lot of grey area in the requirement to have utterly advanced fine grained GUI access to something you can set up by hand just as well or better.
Cheers,
Franco
-
I know this is mostly opinion and preference, but may I ask why -- with a working solution at hand -- there is a need to make OPNsense into something it is not?
In my view there is a lot of grey area in the requirement to have utterly advanced fine grained GUI access to something you can set up by hand just as well or better.
Cheers,
Franco
Because not everyone knows how to do it "by hand", so if you add more useful functionality to the interface is easier
-
I've been sort of watching this discussion and honestly I'm not sure what the positions of the various parties are, but as a general statement I will just say that I have found the intrusion detection far too difficult to understand or use. Maybe I am just dense, but my entire background with routers prior to OPNsense was of the home variety that you can buy off the shelf at someplace like Staples or Walmart, so the whole concept of intrusion detection is pretty foreign to me, and so far I have not found anything that really makes it easy to understand, let alone use. In fact I am not entire certain I understand exactly what intrusion detection is designed to do, above and beyond the functioning of an ordinary firewall. So basically I'd be for simplicity. If I could just flip a switch or check a box to enable or disable it, and not have to do anything else at all, that would be great. If I have to do anything at all beyond that I'd be pretty lost, because I don't understand any of the options. For every person that wants advanced options to be exposed, there are probably users who wish the whole thing was dumbed down enough that they could actually make use of this feature.
-
My point is: advanced software is not easier by adding advanced GUI. Nobody will take the opportunity off your shoulders to learn whatever you are trying to do.
We simply will not spend time building something that others already have for resources we would rather like to spend elsewhere. ;)
Cheers,
Franco
-
And that type of response is why I will never recommend OPNsense to anyone else, and will jump ship the minute something more user-friendly come along. What good are a bunch of advanced features if nobody can use them except for those willing and able to go through an insufferable learning curve, without even knowing where to start in this learning process?
It would be like building the world's greatest automobile but making the controls so hard to learn and use that no one could drive it except for the people who designed it and a few select others that somehow managed to decipher the controls. Maybe there would be a niche market for them, but it's certainly not something you could in good conscience recommend to your friends or relatives that just want a nice car they can take out for an easy drive.
-
I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)
Cheers,
Franco
-
If a machine that is properly configured by default is the idea here, I'm all for it. It does seem to need some clarity somewhere in the GUI around why some rules are pre-selected to be enabled or disabled, some are drop actions, some alert. It takes a lot of time to know every rule so most users have to resort to trust in developers anyway. Macros that enable/disable pre-selected advisable rules would be useful and this does fit into the simplicity philosophy.
-
I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)
Cheers,
Franco
That looks like gonzopancho speaking... taking things to the extreme
Who is not liking you? We were having normal conversation
I haven't seen a single suggestion that is not available in any comercial firewall.
-
That looks like gonzopancho speaking... taking things to the extreme
Who is not liking you? We were having normal conversation
Ah, yes, knee jerk off topic ad hominem attack. Unfortunately, I am not impressed when you talk about the guy who compared me to Hitler in his "parody" opnsense.com page because that's what people do to kill competition before it gets popular because open source is the best am I right. ;)
Cheers,
Franco
-
That looks like gonzopancho speaking... taking things to the extreme
Who is not liking you? We were having normal conversation
Ah, yes, knee jerk off topic ad hominem attack. Unfortunately, I am not impressed when you talk about the guy who compared me to Hitler in his "parody" opnsense.com page because that's what people do to kill competition before it gets popular because open source is the best am I right. ;)
Cheers,
Franco
You see, you repeat the behaviour, you are on defensive, you pic one topic of the post, ignore the rest and you take it to the extreme.
If you can not argument what the people is saying in this post at least be more respectful. People is giving feedback about features in opnsense and you act like a kid because you don't agree...
If your priority with opnsense is not make it comercially viable via support, say it, make a blog about it, so we will understand many things and I guess people will stop request things that will represent a significant step fordward in terms of features. I guess some minor proyects like sensei will end up being more succesfull in economic terms.
And honestly I don't really care your stupid war with gonzopancho but I guess everyone knows that it was not your fault, and we should thank you all for what you did.
-
You see, you repeat the behaviour, you are on defensive, you pic one topic of the post, ignore the rest and you take it to the extreme.
For someone trying to make a case you dash out a lot of personal insults and mischaracterisations. I still can't provide what you want and you keep giving me a hard time for it. You see, judging others reveals more about yourself than the people you try to judge. In particular, you are beating a dead horse with your continued persistence. A horse you killed yourself with taking this thread down the personal attack memory lane.
If you can not argument what the people is saying in this post at least be more respectful. People is giving feedback about features in opnsense and you act like a kid because you don't agree...
Look, you're clearly not listening and/or missing the point fundamentally.
1. You insist of rewriting the open source IDS functionality.
2. The core team response is that it sees no immediate need to put hours into it, especially when these valuable ours can be spent on more pressing topics in the meantime.
3. Based on not providing rewritten code you are incapable or unwilling to provide the code yourself.
4. You (and others) act out because we don't agree with your requirements and needs.
Look at the long-lasting firewall API controversy. It was requested by a lot of people over the years, even companies who make money with OPNsense but have no obligation to contribute. Nobody saw the work or was willing to sponsor it (and we don't consider cheap outsourced programmers as a way forward for that particular matter for simple quality reasons).
In the end, someone was willing to sponsor a firewall API this year and behold, it was added to the project for everyone to use in a matter of weeks, not years.
Little life lesson: somebody telling you they won't do it means they won't do it based on the things that you offered. You get what you negotiate for. And dashing out insults because others do not agree is not negotiating. ;)
If your priority with opnsense is not make it comercially viable via support, say it, make a blog about it, so we will understand many things and I guess people will stop request things that will represent a significant step fordward in terms of features. I guess some minor proyects like sensei will end up being more succesfull in economic terms.
I don't see the point for this bleak comment. It speaks from a bitter place. We built all of what you see. We can make it better together still. Unless of course you don't see a way forward for you personally, but you can't use your reasoning to substitute your situation with everyone else's.
And honestly I don't really care your stupid war with gonzopancho but I guess everyone knows that it was not your fault, and we should thank you all for what you did.
Honestly, you brought this topic up. Acts have consequences. This should really not surprise you. Read twice before hitting "Post" is a good guideline. ;)
I expect your attitude will be more reasonable after I addressed all of your points like you wished.
Cheers,
Franco
-
Look, you're clearly not listening and/or missing the point fundamentally.
1. You insist of rewriting the open source IDS functionality.
2. The core team response is that it sees no immediate need to put hours into it, especially when these valuable ours can be spent on more pressing topics in the meantime.
3. Based on not providing rewritten code you are incapable or unwilling to provide the code yourself.
4. You (and others) act out because we don't agree with your requirements and needs.
Again you take things to the extreme
1. Rewriting the IDS? are you mad? who said that?
Expose a few more settings to the interface, that is a rewriting? lol
Is bring to a web interface a funtionally already exists in the backend... then I said look this is nice (scirus) someone replied and I didn't insist.
2. You could have said that first time instead being disrespectful with other forum members.
3. Rewriting the IDS functionality? again?
4. The only one acting out is you sir. Again if you don't plan to do it you can honestly say it instead being disrespectful. "Hey guys we are not doing this because we have other stuff more critical in the roadmap bla bla bla..."
Look at the long-lasting firewall API controversy. It was requested by a lot of people over the years, even companies who make money with OPNsense but have no obligation to contribute. Nobody saw the work or was willing to sponsor it (and we don't consider cheap outsourced programmers as a way forward for that particular matter for simple quality reasons).
In the end, someone was willing to sponsor a firewall API this year and behold, it was added to the project for everyone to use in a matter of weeks, not years.
Little life lesson: somebody telling you they won't do it means they won't do it based on the things that you offered. You get what you negotiate for. And dashing out insults because others do not agree is not negotiating. ;)
I hope you apply this life lesson as well in the future, because as far as I can tell in your post... you started being rude, and no one is pointing you with a gun to do something, just suggesting stuff
I don't see the point for this bleak comment. It speaks from a bitter place. We built all of what you see. We can make it better together still. Unless of course you don't see a way forward for you personally, but you can't use your reasoning to substitute your situation with everyone else's.
Don't take it wrong, don't take it to the extreme as always, because is the truth, offering a plain firewall that do the same or less than most of the comercial (or not) competitors will make it harder comercially, and even I (despite you may think) will like to see this product growth, it will be good for the community.
Usually if someone makes a feature request 99% of the time is not an original idea, is something that he has seen in other product and has been using, and if other product has add it is because probably because is usefull or many other costumers has asked for this.
For example, sensei, adds value because it contains a set of features that not all the competiros have.
Most things in the roadmap we haven seen last year add things that are avaiable in any FW or if they don't the added value is small.
Why a lot of people dont left pfsense to go opnsense, because pfblockerng is not in opnsense and although it can do something similar it misses a lot of features and customization available in pfblockerng. With sensei may be happening something similar already, because is a key differentiator.
Look at the roadmap
https://opnsense.org/about/road-map/
Do you see something that could be a differentiator with other firewalls in this TIER? (pfsense, sophos XG, Sonicwall, mikrotic...). Sorry I don't, and maybe the roadmap is fine because there are a lot of things to fix yet, but you know that better than me.
Regards
-
and do a search filter for:
DELETED
these are old rules, and not used rules- but if they are enabled, I don't know if it has any effect on system resources or not- maybe someone can chime in....
anyway, I just pick 1000 again and check sid, then scroll to the bottom and click disable after that's done hit apply, then go thru the next page, if any to see if it applied the disabled to those as well.
Is there a way to delete those rules than just disable them ?
-
l0rdraiden: you think I'm taking things to extreme, but you keep using the word "extreme" and imply that I'm extreme. I really don't think that's anywhere near where we are at with the way you keep pushing your interest, even by walking back your intentions. If you were't going for extereme, your words prior speak otherwise.
If you need need certain things to be said a certain way I think you will have to ask the right questions and -again- cut out the insults. At this point, I think you will keep going anyway and you left a lasting impression one way or another. Good day sir!
-
l0rdraiden: you think I'm taking things to extreme, but you keep using the word "extreme" and imply that I'm extreme. I really don't think that's anywhere near where we are at with the way you keep pushing your interest, even by walking back your intentions. If you were't going for extereme, your words prior speak otherwise.
If you need need certain things to be said a certain way I think you will have to ask the right questions and -again- cut out the insults. At this point, I think you will keep going anyway and you left a lasting impression one way or another. Good day sir!
Again, and again and again.... taking things to the extreme => taking things out of context to a limit position.
I have never said that you are a extremist like you imply in your post, don't go victim now
At least next time treat better others opinions and not get on defensive, like someone is attacking you, since no one besides you have have any disrespecful attitude before that post.
Best regards
I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)
-
@l0rdraiden can you please stop with this behaviour, it looks like we don't agree on a lot of things (competitive edge compared to other products, which features add value, etc, etc).
Just try to keep things civil and to the point. As mentioned earlier, we can always discuss the addition of (advanced) features, as long as the use-case is clear and doesn't break how others use the product. In some cases we might even be willing to do the work.
This thread in general has a high potential to separate two groups of people, where in reality, our product is somewhere in the middle. We can't fix "make it simpler, Apple like" and "I want all the toggles from the underlaying system".
Since time is valuable, I'm not intending to put a lot more effort into this discussion, so please do not try to start a new one with me, chances are 99% I'm not going to respond.
Best regards,
Ad
-
@l0rdraiden can you please stop with this behaviour, it looks like we don't agree on a lot of things (competitive edge compared to other products, which features add value, etc, etc).
Just try to keep things civil and to the point. As mentioned earlier, we can always discuss the addition of (advanced) features, as long as the use-case is clear and doesn't break how others use the product. In some cases we might even be willing to do the work.
This thread in general has a high potential to separate two groups of people, where in reality, our product is somewhere in the middle. We can't fix "make it simpler, Apple like" and "I want all the toggles from the underlaying system".
Since time is valuable, I'm not intending to put a lot more effort into this discussion, so please do not try to start a new one with me, chances are 99% I'm not going to respond.
Best regards,
Ad
I'm behaving fine thanks, being in disagreement doesn't mean a bad behaviour, but you already know that.
If you think the feature set of opnsense in 2020 is fine, and don't want to give any explanation, then fantastic I wasn't expecting one, I just gave my opinion, based on the experience of having tested many commercial products available in the market.
I was only asking to some people responding in this thread not being disrespecful or poke fun at other forum members when they are expressing their opinions.
-
After internal discussion we will no longer engage in topics starting with "horrible" wording or suggesting that other projects are superior or that someone will move to something else for reason "x".
This thread will be locked as everything has been said. We might consider locking such topics earlier in the future.
For reference:
Horrible= badly designed.
a hair away from going to PFsense, badly designed. More descriptive?
Use the solution that works. Think twice before posting unproductive negativity. Thanks!