OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: jonf on February 10, 2021, 03:13:00 pm

Title: Intrusion Detection rulesets - good/bad choices?
Post by: jonf on February 10, 2021, 03:13:00 pm

I'd like to try out the Intrusion Detection feature in OPNsense but I see that there are...rather a lot of choices of different rulesets to choose from.  I won't select all of them as I'd assume this would use more resources and possibly block things I don't want blocked.

Does anyone recommend any particular ruleset(s)?  If it makes any difference I'm playing online games quite a lot at the moment and I have a file server which also runs torrents behind my VPN.

Title: Re: Intrusion Detection rulesets - good/bad choices?
Post by: FullyBorked on February 10, 2021, 05:23:23 pm

Picking and choosing is going to be tough.  Best method is to enable an entire ruleset, for me I use Proofpoint Telemetry list.  Instructions here.  https://docs.opnsense.org/manual/etpro_telemetry.html

Enabled all these rules in IDS "Alert Mode".  Monitor it for a week or so and as alerts pop up determine if they are real threats or false positives and disable those rules as needed or resolve threats if found.  Once you've went through this process set the active rules to IPS "Block Mode".  You'll still need to monitor it for a bit. 

To make life easier I recommend setting up monit.  Instructions here https://docs.opnsense.org/manual/monit.html  See (Example 3) to get suricata alerts.  Saves you having to log in constantly to monitor it. 

Title: Re: Intrusion Detection rulesets - good/bad choices?
Post by: jonf on February 10, 2021, 06:11:13 pm

OK I just picked and set up a ruleset with monit running as outlined in your post, and put it in alert mode.  I'll see how it goes from here.

Thanks for the input.