OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Tarts5 on March 12, 2021, 03:14:49 pm
-
Hi, Can someone please point me to the right direction with setting up a Intrusion Detection Policy for home use?
Im looking at the New Policy creation screen but it has just tons of options and I wasnt able to find any examples of best practises or baselines via Google for this. I dont have any specific needs, just generally want to keep my network safe. Keep away anything unnecessary. Currently I have downloaded and enabled (alert only) a bunch of rulesets that I monitor and selectively drop things "i dont like" but I feel this is not the correct, secure (and optimal) way to do things. Need help with things like which rulesets should I and which should I definately not enable. How should I use the "Rules" filtering/category option?
Hardware wise Im running a 4core Intel J3160 with 4GB of RAM, could upgrade to 8GB if needed.
-
Well, in all honesty, noone knows your network better than you do.
The thing that I did is that I took a look at what each specific category is for and then made a decision if that is something that I want to drop, alert or have no need for at all, based on what I use on my network. Then edited policies accordingly.
This pdf explains each Emerging Threat ruleset very well:
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
Best of luck and stay safe!
-
Hello,
you can setup the rules with priority and monitor the hardware/link usage while tightening down the rules.
Remember that the policy applies only to the enabled and downloaded rules.
Policy based / all rules enabled.
Priority 0 would be highest while 100 would be low.
Example 1 (block to alert)
Prio 10 Alert - selected rules based on your needs
Prio 100 Block - all rules, all actions
Example 2 (Alter to block)
Prio 10 block - selected rules based on your needs
Prio 100 Alert - all rules, all actions
Example 3 (default Altert or block) See screenshot
Prio 10 - sort and block for Severity Rules (critical and major)
Prio 20 - sort and alert for Severity Rules (informational and minor)
Prio 30 - sort and alert for Performance (significant) if your hardware is to low
Prio 40 - sort and block for Performance (moderate and low)
Prio 100 - Sort all block or alert all depending if you want allow or deny in first place.
Rule based:
Just enable and download the rules you need.
For me i have choosen all attack rules and then set a single policy to drop them all.
here is my selection:
ET telemetry/emerging-activex 2021/03/10 9:37
ET telemetry/emerging-attack_response 2021/03/10 9:37
ET telemetry/emerging-current_events 2021/03/10 9:37
ET telemetry/emerging-dns 2021/03/10 9:37
ET telemetry/emerging-dos 2021/03/10 9:37
ET telemetry/emerging-exploit 2021/03/10 9:37
ET telemetry/emerging-malware 2021/03/10 9:37
ET telemetry/emerging-misc 2021/03/10 9:37
ET telemetry/emerging-mobile_malware 2021/03/10 9:37
ET telemetry/emerging-netbios 2021/03/10 9:37
ET telemetry/emerging-rpc 2021/03/10 9:37
ET telemetry/emerging-scada 2021/03/10 9:37
ET telemetry/emerging-scan 2021/03/10 9:37
ET telemetry/emerging-shellcode 2021/03/10 9:37
ET telemetry/emerging-trojan 2021/03/10 9:37
ET telemetry/emerging-user_agents 2021/03/10 9:37
ET telemetry/emerging-web_client 2021/03/10 9:38
ET telemetry/emerging-web_server 2021/03/10 9:38
ET telemetry/emerging-web_specific_apps 2021/03/10 9:38
ET telemetry/emerging-worm 2021/03/10 9:38
ET telemetry/tor 2021/03/10 9:38
Single policy to block them all. Policy will overwrite the defaults for all the rules.
I would propose to set the Priorities beginning with 10 and any other plus 10 so you have space in between and would not need to shift around rules.
Hope this helps.
Ah btw. You can move the IP list rules like SSL blacklist, CC botnet, dshield etc. to your firewall and import the lists with URL tables. here you can use floating rules. This will reduce the performance needed by your IDS/IPS.
This is how i handled the performance high stuff from the IP lists.
The IDS/IPS packet filter does come before the firewall filter in the traffic flow. As notice. But if you block IPs there would be no need to scan them for behavior. So IPs moved to firewall and attacks enabled on the IDS/IPS.
hope this makes sense :)
cheers A
armin
-
I think you're right about the IPS matching before FW in traffic flow, but that's where putting the IPS in the internal interfaces makes more sense. Then you are only IPSing traffic that is NATed from WAN to LAN. Otherwise you're IPSing stuff that would be blocked by the implicit block at your WAN anyway.