OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: dcol on November 16, 2017, 12:45:45 am

Title: IDS Alerts
Post by: dcol on November 16, 2017, 12:45:45 am
Hello all,
I never see any ET-Open alerts unless I add the WAN IP in the Home networks (HOME_NET).
I read that this is just the 'noise' that you see. Like in other firewalls.
Do I actually need to keep the WAN IP in the Suricata HOME_NET or are these triggers not making it through the WAN anyway, which is why I do not see them in alerts when the WAN IP is not included in HOME_NET.

Just think I need some clarification on this. Thanks
Title: Re: IDS Alerts
Post by: csmall on November 16, 2017, 02:21:12 am
Use LAN interface instead of WAN.
Title: Re: IDS Alerts
Post by: franco on November 16, 2017, 03:54:08 am
Colinā€˜s adventure with that particular topic was unraveled here: https://forum.opnsense.org/index.php?topic=4711.msg21004#msg21004

Title: Re: IDS Alerts
Post by: dcol on November 16, 2017, 04:46:30 pm
Read that topic earlier. That's where the confusion set in. Ad made the suggestion to try putting the WAN on HOME_NET. My main question is - If the WAN is NOT in HOME_NET and I do not see any alerts, does that mean that all those alerts I see when I do have WAN on the HOME_NET are actually blocked when WAN is not in HOME_NET?

When I put WAN on the HOME_NET, overnight I had 600+ ET Open alerts. The previous 12 hours, when I did not have WAN in HOME_NET I saw absolutely no errors at all. This is what concerns me and I think this needs to be clarified. Maybe this is clatter, as AD suggests. But it is traffic hitting the WAN for sure.

Now as to the LAN being the IDS interface, why LAN? There are lots of debates on that. I actually don't care about the LAN having IDS as many of my systems have web and email servers on other interfaces which is what I really need to protect. I assume that if I use the WAN for IDS, I could protect all my internal interfaces.
So is the suggestion to only use IDS on all my interfaces except WAN? Please explain why this is better.

Title: Re: IDS Alerts
Post by: xinnan on November 16, 2017, 04:58:47 pm
Many people are of the opinion that you only need to worry about what has made it passed the WANs firewall and might have access to the LAN or other resources behind opnsense that you are trying to protect.  So, just checking the LAN, and other interfaces are more meaningful and generate less noise. 

For instance, Are you worried that someone sent a packet to a closed port or are you worried about services running to where your open ports are forwarded?  I suppose it depends on how much log reading you like to do. 
Title: Re: IDS Alerts
Post by: dcol on November 16, 2017, 05:07:06 pm
Good point, but I figured that with IPS now you are better off stopping the traffic at the source. Makes more sense without IPS enabled. Guess its a judgement call and if you want to plow through logs or not.

So then from all this I assume that when the WAN is NOT in HOME_NET, the firewall has predisposed of all the 'chatter' because at that point there are very few, if any, triggered alerts in IDS. If that is what is happening, then this makes total sense to me now.
Title: Re: IDS Alerts
Post by: xinnan on November 16, 2017, 05:14:15 pm
One would think.  You are definitely going to get a ton more alerts inspecting the WAN.

I do inspect the wan on my personal servers where the firewall and all clients are virtual and sit behind another SPI firewall.  As expected I get very few alerts, all real threats and only on ports I opened.  Otherwise, it is silent. 
Title: Re: IDS Alerts
Post by: xinnan on November 16, 2017, 05:40:31 pm
The firewall with no open ports and no pass rules will silently drop unsolicited incoming packets.  In my opinion, that is usually best.  Now, if I had SSH running on the WAN or other service installed in opensense that listened on the WAN, then there would be a great need to have IDS checking the WAN. Again, just an opinion.  I'm definitely not the IDS expert. 

(duplicate - sorry)
Title: Re: IDS Alerts
Post by: dcol on November 16, 2017, 06:36:45 pm
I do have plenty of open ports for web and email servers and a VNC type remote access as well, all accessible via any external IP. Probably 10 or so ports.

By the way, I just checked on one of my PFS boxes and the WAN is NOT in the HOME_NET in suricata.yaml. So not sure why I see 10-50 ET Open alerts an hour there and none on the OPNsense box. Raises my question again. But maybe the PFS box is just not properly handling the triggers. Glad I have until March to get this OPNsense box in a production environment. Sorry for all the inquiries, but I want to make sure I fully understand all the features before I start deploying.