OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Bogotrax on January 04, 2022, 04:08:15 pm

Title: Proper Ruleset for IDS and Firewall on following detection
Post by: Bogotrax on January 04, 2022, 04:08:15 pm: Hello,

suricata spotted following potential thread on my newly setup windows machine. I just connected it and installed some rather not so interesting installs (steam and spotify) on it and it apparently detected the following
Code: [Select]
2022-01-03T20:19:39.244220+0100 2028769 allowed wan 192.168.0.2 59688 34.199.180.185 443 ET JA3 Hash - [Abuse.ch] Possible Tofsee 2022-01-03T20:19:21.464036+0100 2008038 allowed wan 192.168.0.2 52559 34.199.180.185 80 ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS)) 2022-01-03T20:18:20.113306+0100 2028769 allowed wan 192.168.0.2 20428 3.220.178.226 443 ET JA3 Hash - [Abuse.ch] Possible Tofsee
Can somebody brief me on what that potentially means, and which rules to apply on opnsense firewall. I am rather new to the whole thing and would like to go through some manuals, if somebody could point me towards the approximate passage.
Also, if there is any more suitable part of the board where to address the issue to, I'd be more than glad to get the right direction.
I can't enable IPS since my opnsense setup already chokes on IDS, while suricata is running, so much about that.
Does it look like I have to newly setup the machine and change all passwords or is this a meh message? I totally rely on external help here.

Thanks in advance.

Best,

Bogotrax
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: FullyBorked on January 10, 2022, 03:34:18 pm: The Mozilla user agent just means you are using Firefox. That rule can probably just be disabled in IDS unless you want to know when it's happening.

For the JA3 detections, you'll need to spend some time on that one. I'd be slightly concerned that you downloaded some malware, but not 100% sure. Might be worth running the free version of MalwareBytes and see if it comes up with anything.

https://sslbl.abuse.ch/ssl-certificates/signature/Tofsee/
https://sslbl.abuse.ch/ja3-fingerprints/0cc1e84568e471aa1d62ad4158ade6b5/
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: Bogotrax on January 13, 2022, 02:24:52 pm: Thanks alot for the input. I will run malwarebytes over it.
Meanwhile I have another thing that is bugging me:
I get those alerts for connection to a .biz and .cloud address that i would like to use the firewall on, if possible.
I already told suricata to drop them, but they keep on popping up, also having the flag to be "allowed" to pass through.
I am not the brightest bulb regarding firewall and suricata settings. I also can't run IPS instead of IDS because of memory.
Any idea how to setup the firewall that they don't popup?

Code: [Select]
2022-01-13T13:47:52.698167+0100 2027863 allowed wan 192.168.0.2 4429 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.673658+0100 2027863 allowed wan 192.168.0.2 54846 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.653052+0100 2027863 allowed wan 192.168.0.2 48538 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.643888+0100 2027863 allowed wan 192.168.0.2 37436 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.623157+0100 2027863 allowed wan 192.168.0.2 13648 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.622745+0100 2027863 allowed wan 192.168.0.2 36422 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.612215+0100 2027863 allowed wan 192.168.0.2 33396 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.603882+0100 2027863 allowed wan 192.168.0.2 45495 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.583251+0100 2027863 allowed wan 192.168.0.2 35145 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.581649+0100 2027863 allowed wan 192.168.0.2 24309 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.569699+0100 2027863 allowed wan 192.168.0.2 62882 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.558900+0100 2027863 allowed wan 192.168.0.2 12915 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.552599+0100 2027863 allowed wan 192.168.0.2 43095 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.541694+0100 2027863 allowed wan 192.168.0.2 59307 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.527505+0100 2027863 allowed wan 192.168.0.2 35049 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.526289+0100 2027863 allowed wan 192.168.0.2 18341 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.525678+0100 2027863 allowed wan 192.168.0.2 22338 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.524232+0100 2027863 allowed wan 192.168.0.2 58652 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.523396+0100 2027863 allowed wan 192.168.0.2 37851 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.518676+0100 2027863 allowed wan 192.168.0.2 59472 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.484347+0100 2027863 allowed wan 192.168.0.2 24890 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.483929+0100 2027863 allowed wan 192.168.0.2 61148 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.481112+0100 2027863 allowed wan 192.168.0.2 19132 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.476844+0100 2027863 allowed wan 192.168.0.2 54645 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.476337+0100 2027863 allowed wan 192.168.0.2 17989 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.450989+0100 2027863 allowed wan 192.168.0.2 29572 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.450782+0100 2027863 allowed wan 192.168.0.2 62568 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.421765+0100 2027863 allowed wan 192.168.0.2 36385 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.421539+0100 2027863 allowed wan 192.168.0.2 30058 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.418944+0100 2027863 allowed wan 192.168.0.2 23849 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.418357+0100 2027863 allowed wan 192.168.0.2 44626 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.417421+0100 2027863 allowed wan 192.168.0.2 41847 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.416169+0100 2027863 allowed wan 192.168.0.2 61354 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.413759+0100 2027863 allowed wan 192.168.0.2 24896 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.381671+0100 2027863 allowed wan 192.168.0.2 11827 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.381330+0100 2027863 allowed wan 192.168.0.2 27976 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.379455+0100 2027863 allowed wan 192.168.0.2 9047 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.374545+0100 2027863 allowed wan 192.168.0.2 51799 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.363598+0100 2027863 allowed wan 192.168.0.2 47803 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.363274+0100 2027863 allowed wan 192.168.0.2 58848 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.362959+0100 2027863 allowed wan 192.168.0.2 18401 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.353066+0100 2027863 allowed wan 192.168.0.2 61134 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.352807+0100 2027863 allowed wan 192.168.0.2 14789 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.352078+0100 2027863 allowed wan 192.168.0.2 20751 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.351162+0100 2027863 allowed wan 192.168.0.2 29378 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:44.374404+0100 2027865 allowed wan 192.168.0.2 50580 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.351494+0100 2027865 allowed wan 192.168.0.2 22185 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.340358+0100 2027865 allowed wan 192.168.0.2 33704 205.251.194.208 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.320512+0100 2027865 allowed wan 192.168.0.2 49131 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.311792+0100 2027865 allowed wan 192.168.0.2 34742 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.859926+0100 2027865 allowed wan 192.168.0.2 56364 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.843627+0100 2027863 allowed wan 192.168.0.2 7824 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.842432+0100 2027863 allowed wan 192.168.0.2 18212 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.837147+0100 2027865 allowed wan 192.168.0.2 36600 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.805659+0100 2027865 allowed wan 192.168.0.2 12782 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.792593+0100 2027863 allowed wan 192.168.0.2 33311 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.792070+0100 2027863 allowed wan 192.168.0.2 32832 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.729668+0100 2027865 allowed wan 192.168.0.2 51040 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.685873+0100 2027863 allowed wan 192.168.0.2 33583 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.683009+0100 2027863 allowed wan 192.168.0.2 40436 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.666397+0100 2027865 allowed wan 192.168.0.2 5694 205.251.199.196 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.616205+0100 2027865 allowed wan 192.168.0.2 28638 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.573029+0100 2027865 allowed wan 192.168.0.2 16737 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:55.489059+0100 2027865 allowed wan 192.168.0.2 12554 205.251.193.216 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:54.393541+0100 2027865 allowed wan 192.168.0.2 55728 205.251.199.235 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:54.302682+0100 2027865 allowed wan 192.168.0.2 28844 205.251.194.57 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.885024+0100 2027865 allowed wan 192.168.0.2 17822 205.251.197.240 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.805721+0100 2027863 allowed wan 192.168.0.2 16216 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.715443+0100 2027865 allowed wan 192.168.0.2 61597 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.600341+0100 2027863 allowed wan 192.168.0.2 33149 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.597788+0100 2027863 allowed wan 192.168.0.2 21605 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.510345+0100 2027863 allowed wan 192.168.0.2 29033 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.508700+0100 2027863 allowed wan 192.168.0.2 37459 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.498303+0100 2027863 allowed wan 192.168.0.2 53948 176.97.158.110 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.435377+0100 2027863 allowed wan 192.168.0.2 18914 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.434980+0100 2027863 allowed wan 192.168.0.2 48285 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.433694+0100 2027863 allowed wan 192.168.0.2 64816 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.431939+0100 2027863 allowed wan 192.168.0.2 56089 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.357773+0100 2027863 allowed wan 192.168.0.2 39556 156.154.65.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.356476+0100 2027863 allowed wan 192.168.0.2 10883 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.247825+0100 2027863 allowed wan 192.168.0.2 57419 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.244866+0100 2027863 allowed wan 192.168.0.2 23116 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.202758+0100 2027863 allowed wan 192.168.0.2 45043 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.201651+0100 2027863 allowed wan 192.168.0.2 64633 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T12:43:02.231632+0100 2028651 allowed wan 192.168.0.2 20204 104.107.217.217 80 ET USER_AGENTS Steam HTTP Client User-Agent 2022-01-13T08:12:20.039878+0100 2027865 allowed wan 192.168.0.2 45769 173.245.59.112 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:12:19.980355+0100 2027865 allowed wan 192.168.0.2 31034 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:01.059268+0100 2027865 allowed wan 192.168.0.2 12516 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:01.029399+0100 2027865 allowed wan 192.168.0.2 21075 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.997556+0100 2027865 allowed wan 192.168.0.2 48293 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.969271+0100 2027865 allowed wan 192.168.0.2 43307 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.943702+0100 2027865 allowed wan 192.168.0.2 13811 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.185653+0100 2027865 allowed wan 192.168.0.2 20990 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.536582+0100 2027865 allowed wan 192.168.0.2 31047 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.499046+0100 2027865 allowed wan 192.168.0.2 17004 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.468826+0100 2027865 allowed wan 192.168.0.2 6574 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.446155+0100 2027865 allowed wan 192.168.0.2 29722 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.758026+0100 2027865 allowed wan 192.168.0.2 56337 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.740972+0100 2027865 allowed wan 192.168.0.2 44401 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.718528+0100 2027865 allowed wan 192.168.0.2 18045 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.696855+0100 2027865 allowed wan 192.168.0.2 53492 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.666341+0100 2027865 allowed wan 192.168.0.2 58501 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.624650+0100 2027865 allowed wan 192.168.0.2 48127 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.593363+0100 2027865 allowed wan 192.168.0.2 41994 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.575082+0100 2027865 allowed wan 192.168.0.2 52802 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:13.216627+0100 2027865 allowed wan 192.168.0.2 18912 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:13.190978+0100 2027865 allowed wan 192.168.0.2 9983 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.944523+0100 2027865 allowed wan 192.168.0.2 52128 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.867541+0100 2027865 allowed wan 192.168.0.2 45429 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.814128+0100 2027865 allowed wan 192.168.0.2 24806 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.396212+0100 2027865 allowed wan 192.168.0.2 6751 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.376644+0100 2027865 allowed wan 192.168.0.2 45504 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.346661+0100 2027865 allowed wan 192.168.0.2 5751 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.326686+0100 2027865 allowed wan 192.168.0.2 46673 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.308596+0100 2027865 allowed wan 192.168.0.2 60876 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.287799+0100 2027865 allowed wan 192.168.0.2 61439 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:04.681704+0100 2027863 allowed wan 192.168.0.2 28986 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
Update: Malwarebytes couldn't find anything :/ Still thanks for your advice
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: FullyBorked on January 13, 2022, 03:30:29 pm: Quote from: Bogotrax on January 13, 2022, 02:24:52 pm
Thanks alot for the input. I will run malwarebytes over it.
Meanwhile I have another thing that is bugging me:
I get those alerts for connection to a .biz and .cloud address that i would like to use the firewall on, if possible.
I already told suricata to drop them, but they keep on popping up, also having the flag to be "allowed" to pass through.
I am not the brightest bulb regarding firewall and suricata settings. I also can't run IPS instead of IDS because of memory.
Any idea how to setup the firewall that they don't popup?

Code: [Select]
2022-01-13T13:47:52.698167+0100 2027863 allowed wan 192.168.0.2 4429 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.673658+0100 2027863 allowed wan 192.168.0.2 54846 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.653052+0100 2027863 allowed wan 192.168.0.2 48538 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.643888+0100 2027863 allowed wan 192.168.0.2 37436 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.623157+0100 2027863 allowed wan 192.168.0.2 13648 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.622745+0100 2027863 allowed wan 192.168.0.2 36422 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.612215+0100 2027863 allowed wan 192.168.0.2 33396 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.603882+0100 2027863 allowed wan 192.168.0.2 45495 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.583251+0100 2027863 allowed wan 192.168.0.2 35145 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.581649+0100 2027863 allowed wan 192.168.0.2 24309 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.569699+0100 2027863 allowed wan 192.168.0.2 62882 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.558900+0100 2027863 allowed wan 192.168.0.2 12915 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.552599+0100 2027863 allowed wan 192.168.0.2 43095 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.541694+0100 2027863 allowed wan 192.168.0.2 59307 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.527505+0100 2027863 allowed wan 192.168.0.2 35049 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.526289+0100 2027863 allowed wan 192.168.0.2 18341 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.525678+0100 2027863 allowed wan 192.168.0.2 22338 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.524232+0100 2027863 allowed wan 192.168.0.2 58652 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.523396+0100 2027863 allowed wan 192.168.0.2 37851 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.518676+0100 2027863 allowed wan 192.168.0.2 59472 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.484347+0100 2027863 allowed wan 192.168.0.2 24890 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.483929+0100 2027863 allowed wan 192.168.0.2 61148 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.481112+0100 2027863 allowed wan 192.168.0.2 19132 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.476844+0100 2027863 allowed wan 192.168.0.2 54645 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.476337+0100 2027863 allowed wan 192.168.0.2 17989 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.450989+0100 2027863 allowed wan 192.168.0.2 29572 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.450782+0100 2027863 allowed wan 192.168.0.2 62568 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.421765+0100 2027863 allowed wan 192.168.0.2 36385 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.421539+0100 2027863 allowed wan 192.168.0.2 30058 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.418944+0100 2027863 allowed wan 192.168.0.2 23849 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.418357+0100 2027863 allowed wan 192.168.0.2 44626 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.417421+0100 2027863 allowed wan 192.168.0.2 41847 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.416169+0100 2027863 allowed wan 192.168.0.2 61354 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.413759+0100 2027863 allowed wan 192.168.0.2 24896 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.381671+0100 2027863 allowed wan 192.168.0.2 11827 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.381330+0100 2027863 allowed wan 192.168.0.2 27976 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.379455+0100 2027863 allowed wan 192.168.0.2 9047 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.374545+0100 2027863 allowed wan 192.168.0.2 51799 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.363598+0100 2027863 allowed wan 192.168.0.2 47803 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.363274+0100 2027863 allowed wan 192.168.0.2 58848 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.362959+0100 2027863 allowed wan 192.168.0.2 18401 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.353066+0100 2027863 allowed wan 192.168.0.2 61134 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.352807+0100 2027863 allowed wan 192.168.0.2 14789 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.352078+0100 2027863 allowed wan 192.168.0.2 20751 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:52.351162+0100 2027863 allowed wan 192.168.0.2 29378 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:47:44.374404+0100 2027865 allowed wan 192.168.0.2 50580 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.351494+0100 2027865 allowed wan 192.168.0.2 22185 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.340358+0100 2027865 allowed wan 192.168.0.2 33704 205.251.194.208 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.320512+0100 2027865 allowed wan 192.168.0.2 49131 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:47:44.311792+0100 2027865 allowed wan 192.168.0.2 34742 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.859926+0100 2027865 allowed wan 192.168.0.2 56364 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.843627+0100 2027863 allowed wan 192.168.0.2 7824 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.842432+0100 2027863 allowed wan 192.168.0.2 18212 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.837147+0100 2027865 allowed wan 192.168.0.2 36600 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.805659+0100 2027865 allowed wan 192.168.0.2 12782 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.792593+0100 2027863 allowed wan 192.168.0.2 33311 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.792070+0100 2027863 allowed wan 192.168.0.2 32832 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.729668+0100 2027865 allowed wan 192.168.0.2 51040 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.685873+0100 2027863 allowed wan 192.168.0.2 33583 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.683009+0100 2027863 allowed wan 192.168.0.2 40436 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:29:16.666397+0100 2027865 allowed wan 192.168.0.2 5694 205.251.199.196 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.616205+0100 2027865 allowed wan 192.168.0.2 28638 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:29:16.573029+0100 2027865 allowed wan 192.168.0.2 16737 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:55.489059+0100 2027865 allowed wan 192.168.0.2 12554 205.251.193.216 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:54.393541+0100 2027865 allowed wan 192.168.0.2 55728 205.251.199.235 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:54.302682+0100 2027865 allowed wan 192.168.0.2 28844 205.251.194.57 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.885024+0100 2027865 allowed wan 192.168.0.2 17822 205.251.197.240 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.805721+0100 2027863 allowed wan 192.168.0.2 16216 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.715443+0100 2027865 allowed wan 192.168.0.2 61597 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T13:28:53.600341+0100 2027863 allowed wan 192.168.0.2 33149 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.597788+0100 2027863 allowed wan 192.168.0.2 21605 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.510345+0100 2027863 allowed wan 192.168.0.2 29033 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.508700+0100 2027863 allowed wan 192.168.0.2 37459 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.498303+0100 2027863 allowed wan 192.168.0.2 53948 176.97.158.110 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.435377+0100 2027863 allowed wan 192.168.0.2 18914 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.434980+0100 2027863 allowed wan 192.168.0.2 48285 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.433694+0100 2027863 allowed wan 192.168.0.2 64816 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:53.431939+0100 2027863 allowed wan 192.168.0.2 56089 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.357773+0100 2027863 allowed wan 192.168.0.2 39556 156.154.65.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.356476+0100 2027863 allowed wan 192.168.0.2 10883 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.247825+0100 2027863 allowed wan 192.168.0.2 57419 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.244866+0100 2027863 allowed wan 192.168.0.2 23116 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.202758+0100 2027863 allowed wan 192.168.0.2 45043 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T13:28:44.201651+0100 2027863 allowed wan 192.168.0.2 64633 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD 2022-01-13T12:43:02.231632+0100 2028651 allowed wan 192.168.0.2 20204 104.107.217.217 80 ET USER_AGENTS Steam HTTP Client User-Agent 2022-01-13T08:12:20.039878+0100 2027865 allowed wan 192.168.0.2 45769 173.245.59.112 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:12:19.980355+0100 2027865 allowed wan 192.168.0.2 31034 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:01.059268+0100 2027865 allowed wan 192.168.0.2 12516 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:01.029399+0100 2027865 allowed wan 192.168.0.2 21075 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.997556+0100 2027865 allowed wan 192.168.0.2 48293 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.969271+0100 2027865 allowed wan 192.168.0.2 43307 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.943702+0100 2027865 allowed wan 192.168.0.2 13811 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:09:00.185653+0100 2027865 allowed wan 192.168.0.2 20990 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.536582+0100 2027865 allowed wan 192.168.0.2 31047 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.499046+0100 2027865 allowed wan 192.168.0.2 17004 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.468826+0100 2027865 allowed wan 192.168.0.2 6574 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:07:41.446155+0100 2027865 allowed wan 192.168.0.2 29722 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.758026+0100 2027865 allowed wan 192.168.0.2 56337 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.740972+0100 2027865 allowed wan 192.168.0.2 44401 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.718528+0100 2027865 allowed wan 192.168.0.2 18045 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.696855+0100 2027865 allowed wan 192.168.0.2 53492 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.666341+0100 2027865 allowed wan 192.168.0.2 58501 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.624650+0100 2027865 allowed wan 192.168.0.2 48127 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.593363+0100 2027865 allowed wan 192.168.0.2 41994 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:06:40.575082+0100 2027865 allowed wan 192.168.0.2 52802 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:13.216627+0100 2027865 allowed wan 192.168.0.2 18912 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:13.190978+0100 2027865 allowed wan 192.168.0.2 9983 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.944523+0100 2027865 allowed wan 192.168.0.2 52128 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.867541+0100 2027865 allowed wan 192.168.0.2 45429 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.814128+0100 2027865 allowed wan 192.168.0.2 24806 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.396212+0100 2027865 allowed wan 192.168.0.2 6751 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.376644+0100 2027865 allowed wan 192.168.0.2 45504 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.346661+0100 2027865 allowed wan 192.168.0.2 5751 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.326686+0100 2027865 allowed wan 192.168.0.2 46673 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.308596+0100 2027865 allowed wan 192.168.0.2 60876 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:12.287799+0100 2027865 allowed wan 192.168.0.2 61439 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD 2022-01-13T08:05:04.681704+0100 2027863 allowed wan 192.168.0.2 28986 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
Update: Malwarebytes couldn't find anything :/ Still thanks for your advice

I think you might be going about this the wrong way. I would suggest updating your hardware to be able to use IPS. Since threats are constantly changing, you won't be able to just build firewall rules every time. You need an active system. If memory is all you need, I would suggest buying some ram, it's pretty cheap usually.

Also if you are only concerned with outbound internet browsing type traffic, Zenarmor might be a better fit for you. Again you are going to have memory constraints. Usually Suricata is going to sit on your WAN connections for inbound traffic to say a website on your network. Zenarmor is more for outbound web traffic and requires a LOT less tuning and configuring to get it working properly.
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: Bogotrax on January 13, 2022, 07:03:32 pm: Thanks for your feedback. I need to run that through my head what are the options for me. I'll take a look at zenarmor. Seems like a fitting solution and less ram is something that sounds good to me. For more Ram, I'd need another APU or find an old PC to run opnsense on.
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: FullyBorked on January 13, 2022, 07:05:55 pm: Quote from: Bogotrax on January 13, 2022, 07:03:32 pm
Thanks for your feedback. I need to run that through my head what are the options for me. I'll take a look at zenarmor. Seems like a fitting solution and less ram is something that sounds good to me. For more Ram, I'd need another APU or find an old PC to run opnsense on.

Ah didn't know you were running on a APU, that'll be harder to add ram to ;D.
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: Bogotrax on January 20, 2022, 01:40:07 pm: Activated IPS with Aho-Corasick. So far so ok, although i have a new problem now:"Error reconfiguring IDS: error installing ids rules ()" when I "appy" new configuration to suricata. Is there a reset option for suricata or a way to apply the original settings or a way to reinstall suricata to make sure I don't get the error or a way to debug this?
Title: Re: Proper Ruleset for IDS and Firewall on following detection
Post by: vijvis on January 30, 2022, 11:39:42 am: I got that error too upon enabling IPS and updating the rules. A reboot of the system fixed it for me.