OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: elektroinside on January 16, 2018, 11:09:39 pm

Title: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 16, 2018, 11:09:39 pm
I use these techniques for my home network and many of my clients. IDS/IPS needs occasional maintenance. Combine these with 'Security through obscurity' philosophies and techniques and you should be safe enough. Obviously, nobody but yourself is responsible for your deployment.

INTRO

IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures, both heavily dependent on these (except some newer technologies).

There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult sometimes.

I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.

Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - can cause issues, in between internal interfaces, like RDP sessions, Windows Updates, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. The advise for everyone would be, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.

Getting ready

1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment

Networking

1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)

DNS

Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.

OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you. Follow/verify the rest of the steps.
AdGuard: https://adguard.com/en/adguard-dns/overview.html

Let's go with AdGuard as it is easy to verify and this one you need to manually configure:

1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
6. Uncheck 'Enable DNSSEC Support' (if you use OpenDNS or AdGuard, none of these supports this feature)
SAVE
7. Just to be sure everything works, reboot and check your internet connection on that one machine

IDS/IPS

1. Go to Services: Intrusion Detection: Settings tab
2. Check these:  Enabled,  IPS mode (do not check promiscuous mode unless you have multiple interfaces or VLANs)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)

What to do when something is not working (can't open a website, torrents don't work, can't connect to something)

1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'

Further debugging

1. Go to to Services: Intrusion Detection and disable IPS mode.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

2. Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

3. Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

4. Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

If still absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Then stop reading :)

Verify results:

1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare

With these techniques, you should have a good protection and speed as well. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).

Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured, even if the clients override them locally. So if you wish, you can enforce this with a firewall rule:

Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY

With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-with Amsterdam: http://www.speedtest.net/result/6972207406
-with Romania: http://www.speedtest.net/result/6972210834

That's it :)


Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 17, 2018, 02:20:38 pm
Feel free to comment, ask questions, tell your success/fail stories...
Criticism is also welcomed :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Ciprian on January 18, 2018, 12:54:03 pm
Not because you're from Romania (mee too :) ), but bravo for your guide, excellent work.

Only one add (and maybe you can add this to your post?!): Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - caused issues for me, in between internal interfaces (eg. CorpLan <-> Servers, Core <-> Management) traffic, like RDP session, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. This being the reason I didn't identified the exact problematic rules, didn't had the time and/ or patience to "ad labam" verify every rule in every ruleset.

I advise everyone, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.

Cheers.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 18, 2018, 01:14:30 pm
Thank you :)

You're perfectly right, take a look at this post: https://forum.opnsense.org/index.php?topic=6840.0

That's why I specified the target audience (home and/or small office), under no circumstances should this guide be deployed in SME or higher, as it is.

Thank you for adding this missing description, I'll include it in the INTRO part, so that people may be aware as to why this is not good for SME as it is and what needs to be tweaked in case of issues.

Update: updated the description of the guide :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 19, 2018, 03:35:58 pm
New update: added some more debugging steps.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: richardmountain on January 25, 2018, 12:39:10 pm
I'm currently using Unbound DNS but when I check 'DNS Query Forwarding' it stops access to websites.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: franco on January 25, 2018, 12:47:19 pm
If you have no DNS servers it doesn't know where to forward to.


Cheers,
Franco
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 25, 2018, 01:00:27 pm
Yes, as Franco said, you have to make sure you have configured DNS servers here (like in the attached snapshot):
System: Settings: General

And if you are on 18.1.r2, you should also apply this patch from the console in order to see all the blocked rules in the GUI (so you can unblock them if needed):
https://github.com/opnsense/core/commit/573612d48


Code: [Select]
opnsense-patch 573612d48
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: richardmountain on January 25, 2018, 01:03:05 pm
I have DNS server IP addresses entered in there. I have the IP addresses that OpenDNS suggest.

I'm currently on 17.7.12 should I look at updating?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 25, 2018, 01:09:39 pm
I have DNS server IP addresses entered in there. I have the IP addresses that OpenDNS suggest.

Strange...
You should not enable DNSSEC (no support from AdGuard or OpenDNS) (Services: Unbound DNS: General)
You should verify your access list and make sure all your internal networks are added in the ACL (Services: Unbound DNS: Access Lists)

Maybe a restart of OPNsense helps?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: richardmountain on January 25, 2018, 01:18:10 pm
Good shout about DNSSEC, i'd got that enabled.

I've disabled it and it's working.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 25, 2018, 01:32:24 pm
Great!
Now, you can begin the hunt for rules to disable :)
17.7.x, unfortunately, will not display in the GUI all of the blocked packets (and corresponding rules). You might have issues and you might not realize why (what is being blocked).

I don't think the above-mentioned patch brakes IDS on 17.7.x, you could try it (I hope I'm not wrong):

Run this from the console (from putty):
Code: [Select]
opnsense-patch 573612d48
If, for some reason, something brakes, run the patch again (it will revert the changes).
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: richardmountain on January 25, 2018, 01:58:47 pm
Okay, thanks for that.  I'll take a look.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 25, 2018, 02:12:22 pm
Sure thing, you're welcome.

I've also updated the guide to make users aware of the DNSSEC option.

Thank you.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: richardmountain on January 25, 2018, 02:27:51 pm
Great,

Another issue I've got with OpenDNS, which might be related somehow.

It seems to be working to a degree because it's blocking sites that I've blocked, however, it doesn't seem to be logging the sites I've visited or even my requests?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on January 25, 2018, 03:22:39 pm
Modify the logs verbosity level for Unbound in Services: Unbound DNS: Advanced (from 1 to higher), then 'apply'. Find the level which is best for you. It will log queries beginning with level 2.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: you on February 05, 2018, 10:29:25 pm
Hi elektroinside,

thanks for this initiative. This is all mega helpful for a beginner like me ! Especially the AdGuard howto is something I highly appreciate ;)


Thanks also to all contributor in this thread.

Cheers
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on February 05, 2018, 11:37:39 pm
You're welcome, happy to help :)
Hope this guide will help you protect your network. In order to do achieve this, don't forget that IDS requires patience at the beginning, especially the first hours/days. Don't get frustrated if stuff are blocked, you just have to discover which rules you need and which you do not. You'll never know if you don't try them all, right? :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 23, 2018, 01:40:19 pm
I do see lot of menu changes in OPNsense 18.1.5. appreciate if you could update for 18 version
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on March 23, 2018, 02:28:56 pm
Indeed, I will update the post soon :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 26, 2018, 05:30:20 pm
@elektroinside
I was able to figure out the menus.I had my qotom mini pc collecting dust over 6 months. I was able to install opnsense but had trouble configuring IDS/IPS(me to blame).  I followed your tutorial and very happy with the result.  A ton of thanks.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on March 26, 2018, 05:45:29 pm
Very happy to hear it helped.
You're welcome!
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 27, 2018, 06:19:21 pm
Appreciate if you could add config steps for
transparent Caching Proxy
clamav
rspamd
of course If it is not too much work
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on March 27, 2018, 06:33:30 pm
I would, but I try to avoid the use of proxies. My reasons are maintenance & performance related. I managed to do so for many years now, and I'm kinda outdated with regards to OPNsense & its proxy implementation. I tried it not to die stupid, it works, but I'm no expert, hence I cannot write any more helpful tutorial than the one already existing in the manual :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 28, 2018, 05:27:53 pm
no worries. I am happy with the current setup.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 28, 2018, 09:49:24 pm
I have  ATT router acting as just modem --> wan on opnsense --> lan of opnsense to Asus wifi router. when I put my att modem and opnsense in bridge mode, I can't connect to the internet. any help?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 29, 2018, 02:21:28 pm
Never mind. Restarting in sequence resolved the issue. shutdown all. restart modem, opnsense and wifi router.
Thanks
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on March 30, 2018, 07:00:02 am
Better not hijack this thread with unrelated issues, and open a new topic if this is still an ongoing issue. If not, I'm glad you worked it out :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on March 30, 2018, 03:26:59 pm
I understand and sorry about it
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: elektroinside on March 30, 2018, 05:03:05 pm
Don't worry :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on April 01, 2018, 10:55:26 pm
Networking

1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)

Should be

Networking

1. Go to Interfaces: Settings
2. Disable all hardware offloading (they are by default, but please verify)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Julien on April 25, 2018, 12:27:56 am
on the port forward NAT Firewall,
we cannot create it as it request the redirect IP ( see attached).

my question is for this steps

Code: [Select]
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on April 25, 2018, 02:33:57 am
I know. I gave my LAN IP 192.168.5.1/24
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Julien on April 25, 2018, 07:25:48 pm
I know. I gave my LAN IP 192.168.5.1/24
is your answer related to my question ?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jenmonk on April 25, 2018, 10:51:34 pm
yes, for the redirect IP I gave my LAN IP 192.168.5.1/24
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Ciprian on April 26, 2018, 10:54:24 am
or 127.0.0.1 - for cases when you use multiple interfaces with multiple subnets and you create an "interface group" in the firewall, and create a single rule for this group containing all LAN subnets. :)
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Julien on April 28, 2018, 12:42:02 am
or 127.0.0.1 - for cases when you use multiple interfaces with multiple subnets and you create an "interface group" in the firewall, and create a single rule for this group containing all LAN subnets. :)
if we are using a internal active directory. do we have to add this rule and use the active directory ip 10.10.10.101 ?

the dns is working now or creating this rules would speed up things ?
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Ciprian on May 16, 2018, 11:02:24 am
Quote
if we are using a internal active directory. do we have to add this rule and use the active directory ip 10.10.10.101 ?

Definitely! :)
You use the IP of the DNS server you want to use. Pay close attention at the moment when & if you start to use different DNS servers for different VLANs, you would have to break "single floating rule" model, and clone & adapt every rule for every VLAN with each corresponding DNS server on every subnet's/ VLAN's interface.

Quote
the dns is working now or creating this rules would speed up things ?

I don't quite get that, what do you mean?
Anyway, related to DNS traffic and speeding things up, it is a "best practice" to place as down as possible rules implying DNS queries: as all FW rules are evaluated from top to bottom, every time a particular traffic session is about to be established it causes first a FW rules evaluation for that session; when anything but pure IP addresses (CIDR) is used in a particular FW rule which is placed on top, you will have generated DNS queries traffic necessary for that particular rule evaluation. Even if the rule doesn't mach the traffic, still, the rule is evaluated, and is evaluated after the DNS FQDN <-> IP record has been obtained from the DNS server. You will get .

Pay close attention to rule order, it's important since OPNsense is NOT your DNS server in your domain. If you google it a bit, you will find the exact recommended order for FW rules based on their type and purpose (general use, no brand addiction).
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: mitchadmin on August 17, 2018, 04:32:43 am
Hi,

I have followed your guide for basic configuration and found it an excellent point of reference.
Is there possibly a guide for configuration that will allow RDP to run properly through an OPNsense router?

Many thanks
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: marjohn56 on August 17, 2018, 08:04:35 am
You could use a port forward for RDP to a specific machine, however I would only ever use that if the machine on the WAN side is on a static address and you can limit that port forward to that address, otherwise you are exposing the internal machine to the WAN, not a good idea. If you want to use RDP from the WAN, then use a VPN and go into the LAN that way, then connect using RDP to the local address of the machine you want.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: mitchadmin on August 20, 2018, 01:50:50 am
I want to RDP from the LAN side of the router out to client servers (which I depend on to do my job).

Currently, I must have IDS/IPS turned off in order to use RDP. And yes, I have looked over and disabled every RDP related rule I can find.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: thewolf56 on August 20, 2018, 07:18:05 am
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.

Hello @elektroinside

I followed your guide to the end and after downloading the rules (and after changing the ones you pointed out that caused issues with windows update to alert), I was able to get IDS/IPS to run, but only for less than a minute before it would stop itself.  I would watch the cpu graph and memory usage on the dashboard steadily climb and then I would see the cpu graph drop dramatically and watch my memory usage (4 GB RAM) drop from about 52% to 14%.  I would then refresh the dashboard to see that IDS had stopped.

I did some googling and it seems that my issue is that I had set pattern matcher to "Hyperscan"  (it's been staying on ever since I changed it back to default).  My i5 - 5250u has Intel SSE 4.1 and SSE 4.2, which are backwards compatible with SSE 3, so I rechecked your instructions to use dmesg to verify SSE3. I did use dmesg to verify the SSE3 set is there, but the only change I made was switching from hyperscan to default to make it work.  So, I am at a loss on that front.  My WAN is PPPoE, so I made sure that was not included and I double-checked all hardware acceleration was disabled.
 
  I see a small point that a little clarification could help those of us that need to follow this wonderful guide step by step.  The first part of step 3 says (to me) that if I have a newer Intel CPU, then I should have SSE3, but then the last part indicates that no SSE3 is indicative of a newer Intel CPU.  I re-read that part a few times, but was not sure which whether a newer intel CPU should have SSE3 or not.

Thanks again for this great guide and other guidance you have shared.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: mimugmail on August 20, 2018, 07:30:59 am
Do you use the URLHaus list? ATM it's too big and unusable.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: thewolf56 on August 20, 2018, 08:05:19 am
Do you use the URLHaus list? ATM it's too big and unusable.

Thanks mimugmail.  I do have that list enabled at the moment.  Would it be better to disable the URLhaus lst and re-enable hyperscan?  Or leave the rule list enabled with the default pattern matcher?

I tried disabling that list and switched back to hyperscan.  Suricata still stalled out and stopped running with hyperscan enabled.  I have not re-checked my speed on my 1 Gbps up/down since switching to default pattern matcher, but plan to do so once I am back on ethernet instead of wifi, but I imagine it is not going to be a great speed.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: Marcel_75 on September 17, 2018, 06:39:23 pm
@elektroinside: Thank you for this nice guide. Followed it step by step.

Unfortunately, I still can download the Eicar Test Virus from https://www.wicar.org/test-malware.html without any problem.

So my IDS/IPS isn't working as it should, right?

Any idea how to check what's going wrong here?

PS: My client computer has a manual IP and the DNS server is the same as the Gateway. Also your Firewall rule is added to avoid DNS overrides from client side. And all rulesets are activated as recommended, so the download speed is not over 100 MBit now (without Suricata I have nearly 400 MBit normally). It seems to be "on" but I still can download the Eicar Test Virus? Why? That's strange …
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: FirstSoul on September 27, 2018, 01:20:44 pm
Test it here:
http://www.eicar.org/85-0-Download.html

HTTP blocks it HTTPS not... interesting.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: mimugmail on September 27, 2018, 01:53:02 pm
It's encrypted ... thats all.
You have to do SSL inspection via Proxy to do this
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: jds on October 11, 2018, 05:58:33 am
Marcel_75: I have the same issue. There were some errors in the log about one of the lists, which I disabled. But still fails the eicar test. Followed everything exactly, tried multiple times. No other complaints that I can find in the logs.

Here is the log entry
suricata: [100090] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"SSL Fingerprint Blacklist: Malicious SSL certificate detected (Quakbot C&C)"; tls_fingerprint:"ff:ff:89:55:e7:62:ca:a2:7b:97:a2:2e:2c:6f:e6:d0:53:a8:f1:9a"; sid:902332065; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.sslblacklist.rules at line 2822

UPDATE: after a few hours, suricata stopped running, and threw no errors in its logs. I noticed that the opnsense howto is different (older) than this post. Importantly, it just suggests adding the WAN interface, and not LAN. So, I removed LAN, but could still download the eicar test files. Does it matter that I am using openvpn client on the firewall?

Second update: I think that it is working now. But this required setting my WAN, LAN and openvpn interfaces for IPS, setting promiscuous mode, and setting pattern to Ago-Corasick (despite having a quad core Intel CPU), and then rebooting. This gave a new message in the log file that I had not seen before:

suricata: [100098] <Notice> -- all 6 packet processing threads, 4 management threads initialized, engine started.

Which looked encouraging. The test at eicar then appears to work.  Yeah!
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: xames on January 18, 2019, 09:23:36 pm
how to use ips with multiwan settings and internal dns?

thanks.
Title: Re: Fast and easy way to protect your home and/or small office network with OPNsense
Post by: marcri on June 05, 2019, 08:14:09 pm
Hi,

is it possible to change the action of multiple rules? I want to change ~1000 actions from alter to drop ;)