OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: hoseinTB on March 05, 2016, 11:06:17 am

Title: IDS on Bridge Mode do not detect private IP attack
Post by: hoseinTB on March 05, 2016, 11:06:17 am

hi

I am using OPNsense in bridge mode.
I want to run IDS/IPS service to protect my trusted network, from private and public ip address attacks.
but as i tested, i need to edit Suricata config file (suricata.yaml) and edit HOME_NET to reach my goal.

after some research i found out that HOME_NET config is an important suricata variable.

So
Why are you not adding HOME_NET config to Web Interface of Intrusion Detection on OPNsense ?


Thanks
Hosein

Title: Re: IDS on Bridge Mode do not detect private IP attack
Post by: franco on March 07, 2016, 08:48:55 am

Hi Hosein,

Bridge mode isn't one of the main use cases of a router-based firewall, so naturally we try to work on routing-based features and that works ok without HOME_NET.

However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.


Cheers,
Franco

Title: Re: IDS on Bridge Mode do not detect private IP attack
Post by: hoseinTB on March 07, 2016, 01:02:12 pm

Hi Franco

Thanks for the reply.

Quote

so naturally we try to work on routing-based features and that works ok without HOME_NET.

as i tested in routing mode, if i my red network have Private IP Address ( 192.168.0.0/16) , i should change HOME_NET config to detect attacks from red local network.

so
Am i doing any thing wrong ?

Quote

However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.

looking forward to see this option in web interface :)

Regards,
Hosein

Title: Re: IDS on Bridge Mode do not detect private IP attack
Post by: franco on March 07, 2016, 01:45:01 pm

HOME_NET, generally, is not directly used to designate our home network. It is used to filter out all noise that does not apply to HOME_NET, be it speed optimisation on noisy links or other reasons for filtering out messages that do not apply to your security requirements.

You're still fine without having set HOME_NET, unless you specifically need to exclude traffic from matching.

If you're not seeing alerts when they should come up, it's likely that IDS is misconfigured. Adjusting HOME_NET won't help in these cases. Are you sure IDS is running on the right link, seeing the right traffic?

Title: Re: IDS on Bridge Mode do not detect private IP attack
Post by: hoseinTB on March 07, 2016, 02:53:50 pm

This is my test senario:
(http://sm.uploads.im/E8OeG.png)

http://sm.uploads.im/E8OeG.png

I run IDS in firewall and enable all scan rules.

after scanning  LAN1 (192.168.1.100) with NMAP, no allert shown in firewall

but after editing HOME_NET like below:

Code: [Select]

//--Original
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
 
//--Replace with below line:
HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"

IDS give me the expected alert for scanning.

so

I think that, Suricata only detect attacks with HOME_NET destination.

is this a true?


Regards,
Hosein

Title: Re: IDS on Bridge Mode do not detect private IP attack
Post by: franco on March 07, 2016, 05:10:07 pm

Er, thanks for the explanation. HOME_NET is set to 192.168.0.0/16, so EXTERNAL_NET is everything out of that scope. Since both networks are HOME_NET by default, the rules never match. You are right.

You can manually adjust the OPNsense file /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml to reflect your setup and make the settings permanent until the next firmware upgrade is executed.

We'll discuss providing an override to HOME_NET, but in this case I must say it's a setup issue that can be worked around either with the above fix or adjusting one network to fall outside the HOME_NET range.