OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: hoseinTB on March 05, 2016, 11:06:17 am
-
hi
I am using OPNsense in bridge mode.
I want to run IDS/IPS service to protect my trusted network, from private and public ip address attacks.
but as i tested, i need to edit Suricata config file (suricata.yaml) and edit HOME_NET to reach my goal.
after some research i found out that HOME_NET config is an important suricata variable.
So
Why are you not adding HOME_NET config to Web Interface of Intrusion Detection on OPNsense ?
Thanks
Hosein
-
Hi Hosein,
Bridge mode isn't one of the main use cases of a router-based firewall, so naturally we try to work on routing-based features and that works ok without HOME_NET.
However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.
Cheers,
Franco
-
Hi Franco
Thanks for the reply.
so naturally we try to work on routing-based features and that works ok without HOME_NET.
as i tested in routing mode, if i my red network have Private IP Address ( 192.168.0.0/16) , i should change HOME_NET config to detect attacks from red local network.
so
Am i doing any thing wrong ?
However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.
looking forward to see this option in web interface :)
Regards,
Hosein
-
HOME_NET, generally, is not directly used to designate our home network. It is used to filter out all noise that does not apply to HOME_NET, be it speed optimisation on noisy links or other reasons for filtering out messages that do not apply to your security requirements.
You're still fine without having set HOME_NET, unless you specifically need to exclude traffic from matching.
If you're not seeing alerts when they should come up, it's likely that IDS is misconfigured. Adjusting HOME_NET won't help in these cases. Are you sure IDS is running on the right link, seeing the right traffic?
-
This is my test senario:
(http://sm.uploads.im/E8OeG.png)
http://sm.uploads.im/E8OeG.png
I run IDS in firewall and enable all scan rules.
after scanning LAN1 (192.168.1.100) with NMAP, no allert shown in firewall
but after editing HOME_NET like below:
//--Original
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
//--Replace with below line:
HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"
IDS give me the expected alert for scanning.
so
I think that, Suricata only detect attacks with HOME_NET destination.
is this a true?
Regards,
Hosein
-
Er, thanks for the explanation. HOME_NET is set to 192.168.0.0/16, so EXTERNAL_NET is everything out of that scope. Since both networks are HOME_NET by default, the rules never match. You are right.
You can manually adjust the OPNsense file /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml to reflect your setup and make the settings permanent until the next firmware upgrade is executed.
We'll discuss providing an override to HOME_NET, but in this case I must say it's a setup issue that can be worked around either with the above fix or adjusting one network to fall outside the HOME_NET range.