OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: shred on October 31, 2017, 01:39:48 am

Title: Intrusion Detection - Enabling/Disabling Rules
Post by: shred on October 31, 2017, 01:39:48 am
Good afternoon,

I'm in the market to purchase some hardware to install a firewall such as OPNsense. I've spent several hours over the past few days messing with pfSense, OPNsense and SophosXG on VirtualBox to see which one I'd like to go with. So far I'm leaning towards OPNsense based on a number of different reasons but one thing I'm trying to understand is the Intrusion Detection. I've set it up the Intrusion Detection and downloaded/enabled the 'OPNsense/test rules' to make sure it works when I access http://www.eicar.org/download/eicar.com.txt and sure enough, I see it in the Alerts (this test method is great by the way and is probably worth adding into the User Guide... only discovered it by searching/reading the forums). After that, I started downloading/enabling several other ET open rules as well but when I view the 'Rules' tab, I'm a bit confused as to how each rule becomes enabled/disabled. I assumed that if I enabled the entire rule set from the 'Download' tab (i.e. ET open/malware), that it would enable all of the corresponding rules associated with it in the 'Rules' tab. However, I've noticed when I disable certain rule sets, the corresponding rules are still enabled. The opposite is true as well where I enable a rule set but the specific rules are not enabled. Hopefully that makes sense but I'm just wondering what I'm missing here...

Edit: As an example, I selected all of the rule sets under 'Download' and click 'Disable selected'. All of them are showing as being disabled (X under every rule set in the Enabled column). However, under the 'Rules' tab, I'm still seeing specific rules enabled (box is checked in the Info/Enabled column) and I'm seeing new alerts show up. Pictures attached.

Second question while I'm on this topic - One thing I liked about pfSense was the ability to suppress or disable the rule from the Alerts view. Is there any way to do this in OPNsense? When I click the info button, the only option I see that is close to what I'm trying to do is the 'Alert action/sid' drop down box that only lets me switch between Alert and Drop.

Anyways, thanks for everyone that is a part of this OPNsense platform and the work you've put in. It's definitely looking like the platform I'm going to end up going with.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: shred on October 31, 2017, 01:57:55 am
Another issue I'm having is under the 'Rules' tab, if I select a bunch of rules and click the 'Disable selected' icon on the bottom left of the table, everything just becomes unselected and nothing happens (rules are still enabled as indicated by the checkbox on the right side of the table). I also get a spinning wheel that doesn't go away where that 'Disable selected' icon was. This is on the latest Google Chrome browser in Ubuntu.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: dcol on November 18, 2017, 11:22:02 pm
The enable and disable buttons work for me. You have to check the rules you want, or all, next to sid then apply.

Someday, I hope, there is a better Rules Manager implemented. Would be nice to auto change selected rules to alert/drop/suppress or edit the rule itself. The real power of an IDS system is rules management. Just sayin'.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: franco on November 19, 2017, 10:05:49 am
I reworked the download page with regard to enable / disable, but haven't reworked the rules page yet. The rules page has the older, slightly more confusing layout.

As for download disabled vs. enabled rules, Ad will have a better grasp on this. I'll try to redirect him here.

Some more changes coming to IDS alerts soon, you can also enable / disable rules from the alerts tab then.

Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: comet on November 19, 2017, 12:27:27 pm
If I might make a suggestion, what's really needed for intrusion detection is some kind of wizard that would pre-configure settings and rules for you.  I have looked at intrusion detection several times and still don't understand it well enough to actually use it.

My suggestion would be that you have three basic settings (where you would choose one of the three) and one option:

Basic - a minimal form of intrusion detection and blocking that stops the worst of the worst threats, with a near-zero chance of false positives.  A setting for people who know absolutely nothing about intrusion detection.

Better - Includes detection and blocking all of the threats in the basic selection, plus some that have a small chance of generating false positives.  The balance here would be to cover the worst of the threats, at the expense of blocking something that shouldn't be blocked in a few cases.

Best - Pretty much detects and blocks everything that's not absolutely guaranteed to generate a high number of false positives.  If you use this setting, you will almost certainly get false positives.

The one option would be to include minimal intrusion detection on the LAN side and local interface.  If I understand correctly, intrusion detection primarily works on threats coming in from the WAN side, but there may be reasons to run it on the LAN side as well.  Using this option would give you a good basic LAN side detection and blocking configuration.

The reason for this is that the wizard would get you set up with an initial configuration that works and gives you some level of protection.  It's specifically for people who have absolutely no idea what they are doing when it comes to setting up intrusion detection. The wizard would go through and actually check all the proper boxes for you, depending on your selection of protection level.  Then after that, you could go through and look to see what it has checked, and if you don't like any of the selections made by the wizard you could change them.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: xinnan on November 19, 2017, 12:38:18 pm
IDS (suricata) is a pro level tool.  Actually, it often stumps pros.  It would be nice if there was a way to make it simple. 
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: dcol on November 19, 2017, 09:54:16 pm
Comet has a point because all the rules are, by default, set to alert so there is no real protection upon setting up for the first time. And then to drop rules, you have to do it either manually per rule or per rule category and choose what to drop. I know that it is speculative as to assign which rules should be dropped by default. Maybe the best answer here is to add to the Wiki a list of recommended lists/sites to view and put a link to that Wiki page in the IDS section somewhere stating 'all rules are set to alert by default, please visit the Wiki page(link here) for suggestions'. Or something to that nature.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: xinnan on November 19, 2017, 10:00:12 pm
I created an easy brute force and ignorance solution to turn all the ACTIVE rules to "drop".  Haven't tested it on opnsense.  I've been busy.  Basically, I apply a wildcard to all the alphanumerics A-Z, a-z, 0-9 in a drop file.  Its much easier than it sounds. 

For me it is a perfect fix, but for many it might not be.  I will see how it works with opnsense in the next few days. 
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: comet on November 19, 2017, 11:19:11 pm
If nothing else, what I wish someone would at least do is this:  Pretend you have set up a router for your grandparents and that you want to keep them reasonably secure from the bad guys, but you don't want to be getting phone calls from then because they can't get to the web sites the commonly use, or because those sites no longer work properly (we'll assume they aren't going to porn or piracy sites, if that makes any difference).

Now set up intrusion detection the way you would set it up for them.  Not for you, because you may know how to figure out which rule is causing a problem without too much difficulty, but for them.  Then take a full-page screenshot of EVERY configuration page, including the main settings page (if you use Firefox the "Screengrab!" extension (https://addons.mozilla.org/en-US/firefox/addon/screengrab-fix-version/) will let you easily capture an entire page screenshot) and post it in here or on the Wiki or somewhere.  Or if it's easier, make a screen capture video of the process.

All I need is to see someone else who knows what they are doing set it up once, and then maybe I can grasp it.  I would hope SOMEONE knows how to do this.

I actually think a "wizard" would be a better idea and more helpful, because it would at least let you tailor the protection to how involved you want to be in rooting out false positives (or if you don't know how to do that, then you could select a level that would hardly ever give false positives).  But I realize that creating a wizard requires coding, and that making a set of screenshots or a video would probably be much easier.

(One tip if anyone does make a video - please don't be like so many YouTube video creators who ramble on about things that no one cares about, like the history of intrusion detection or how Suricata came to be or some such thing.  I have come to dislike instructional YouTube videos rather deeply because many of the people who create them can never seem to just get to the point; they ramble on like a teacher that has a 55 minute class to fill but only has enough prepared material for 15 minutes, so they have to stretch it out.  At least in my case, all I would really want to know is how to set this up, and under which circumstances you may or may not want to use a particular option.  If you can show all that in only five or ten minutes that's fantastic; if it really takes a half hour or longer to properly explain how to set it up, that's fine too. I just wish video creators would stick to the subject of their video and not wander off on tangents).
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: dcol on November 19, 2017, 11:39:55 pm
https://docs.opnsense.org/manual/how-tos/ips.html is a good starting point. That gets IDS/IPS working. The Wiki does need to add some links with some recommendations on rules and categories to drop and how to apply them.

Many users here, I believe, come from the pfsense world and already have seen many of the common issues. But OPNsense is more of a firewall for the layman approach and I think has done a pretty outstanding job so far, but like with anything, with time comes improvement. Which is why the OPNsense folks need to hear from the average user who is not a network guru. Over in the pfsense forum, novices get eaten alive.
Title: Re: Intrusion Detection - Enabling/Disabling Rules
Post by: franco on November 20, 2017, 07:39:14 am
The guys from NL have been to Suricon last week and talked to Surciata authors and (pro) users. There is potential for providing a "basic secure coverage" setting, but even this takes a few experts to sort out what is best enabled and what is not for the average scenario. :)