OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: privateer on February 05, 2018, 04:02:27 pm

Title: IDS/IPS Clarification needed
Post by: privateer on February 05, 2018, 04:02:27 pm

Hi,
on my network i was trying to block porn sites without using https proxy server (if possible). I planned to do this enabling "ET open/emerging-inappropriate" and "ET open/emerging-p2p" Rules in IDS but only the p2p traffic is dropped, everything that should be filtered by the inappropriate rules still works... Am I missing something?

Andrea

Title: Re: IDS/IPS Clarification needed
Post by: elektroinside on February 05, 2018, 11:52:46 pm

The easiest/fastest/no maintenance way to get there is to use DNS servers and enforce the use of those DNS servers you configured (so nobody can get around them). IDS can help but it's not maintenance free.

One such provider is AdGuard and its "Family protection" DNS servers.

More details here:
https://blog.adguard.com/en/adguard-dns-family-protection/

And the servers here (mind you, there are two sets, only one of them blocks adult websites):
https://adguard.com/en/adguard-dns/overview.html

Do you need help with configuring them on OPNsense?

P.S. This method isn't bulletproof either, there are many ways to avoid different layers of protection, but does a decent job.

Title: Re: IDS/IPS Clarification needed
Post by: privateer on February 06, 2018, 03:06:12 pm

i don't like so much dns filtering, i would consider them the last resource for this

Title: Re: IDS/IPS Clarification needed
Post by: elektroinside on February 07, 2018, 02:01:23 am

Those rules cover extremely few cases.

Why isn't DNS filtering a good solution for you? I'm just curious if you don't mind.
DNS filtering is fast, consumes no local resources (if you use external servers), no maintenance...

Title: Re: IDS/IPS Clarification needed
Post by: privateer on February 15, 2018, 04:04:15 pm

sorry if i'm late...
 i would prefer manage by my own the blocked sites (ok, false positives on OpenDNS ect are rare but who knows...).
DNS configuration can be also bypassed by clients setting dns in the adapter config..

Title: Re: IDS/IPS Clarification needed
Post by: 3kj2w on February 15, 2018, 05:13:48 pm

It is almost a lost battle...
First I was used to block domains and IP's from all the sources with adult-porn-unapropriate lists I was able to find >1.000.000... still lot of sites escaped filtering.
Now I am using my own DNS server with lists only for ads-coinminer-malware-porn... and with resolver to configured OpenDNS - umbrella and it just work.
All LAN clients that are restricted they use this DNS server and are also redirected to this internal DNS server so they can't ignore it, the rest of them will use firewall unbound resolver with different blocking lists for ads-coinminer-malware...

Title: Re: IDS/IPS Clarification needed
Post by: Ciprian on February 16, 2018, 11:13:25 am

Quote from: privateer on February 15, 2018, 04:04:15 pm

DNS configuration can be also bypassed by clients setting dns in the adapter config..

There is a very simple way to avoid internal clients circumvent your internal DNS resolving by setting a manual DNS server in the adapter config:

Create a NAT rule on LAN(s) interface with no reflection for TCP/ UDP port(s) 53, 5353 (you have to find for yourself which alternate ports on public DNS servers can be used - AFAIK Google DNS 8.8.8.8 might be reached on both 53 and 5353 ports), where the destination is "!LAN network - mind the exclamation mark (!) before "LAN Network", it is there because it means "NOT", set by checking/ clicking to enable "Destination/ Invert. The "Redirect target IP" is localhost (127.0.0.1).

This means that, any time a DNS request is made and reaches OPNsense on the LAN(s) interface(s), request which is not destined to an internal/ LAN IP address - your OPNSense, or another internal DNS server/ resolver if different - your OPNsense will NAT it, will redirect it to itself.

Title: Re: IDS/IPS Clarification needed
Post by: privateer on February 16, 2018, 03:00:11 pm

Cool! if my tests won't be successful i'll give this a try.

Title: Re: IDS/IPS Clarification needed
Post by: privateer on February 16, 2018, 03:35:32 pm

but....at this point.... maybe the "ET open/emerging-inappropriate" rules are almost... useless?

Title: Re: IDS/IPS Clarification needed
Post by: Ciprian on February 19, 2018, 08:47:27 am

I don't use them ("inappropriate"), I use only p2p. Everything else I block by port or by DNS.

Title: Re: IDS/IPS Clarification needed
Post by: 3kj2w on February 19, 2018, 09:11:18 am

If we look at this rules will see that work by search in http string for descriptive content word, this will not work for https ( most sites use https now) and for media link; so yes you can say are almost useless because will block any site that have this words including tutorials that describe how to block adult sites.

Code: [Select]

# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2017, Emerging Threats
#  All rights reserved.
# 
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
# 
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
# 
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-2.0-enhanced.

#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; uricontent:"&safe=off"; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn early teen"; flow: from_server,established; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001348; classtype:policy-violation; sid:2001348; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn zeps"; flow: from_server,established; content:" zeps "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001387; classtype:policy-violation; sid:2001387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn r@ygold"; flow: from_server,established; content:" r@ygold "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001388; classtype:policy-violation; sid:2001388; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn childlover"; flow: from_server,established; content:" childlover "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001389; classtype:policy-violation; sid:2001389; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE free XXX"; flow: to_client,established; content:"FREE XXX"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001349; classtype:policy-violation; sid:2001349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE hardcore anal"; flow: to_client,established; content:"hardcore anal"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001350; classtype:policy-violation; sid:2001350; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE masturbation"; flow: to_client,established; content:"masturbat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001351; classtype:policy-violation; sid:2001351; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE ejaculation"; flow: to_client,established; content:"ejaculat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001352; classtype:policy-violation; sid:2001352; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE BDSM"; flow: to_client,established; content:"BDSM"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001353; classtype:policy-violation; sid:2001353; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (1)"; flow: from_server,established; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001392; classtype:policy-violation; sid:2001392; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (2)"; flow: from_server,established; content:"BEGIN SEXTRACKER CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001393; classtype:policy-violation; sid:2001393; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE anal sex"; flow:to_client,established; content:"anal sex"; nocase; classtype:policy-violation; sid:2101317; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck fuck fuck"; flow:to_client,established; content:"fuck fuck fuck"; nocase; classtype:policy-violation; sid:2101316; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck movies"; flow:to_client,established; content:"fuck movies"; nocase; classtype:policy-violation; sid:2101320; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore anal"; flow:to_client,established; content:"hardcore anal"; nocase; classtype:policy-violation; sid:2101311; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore rape"; flow:to_client,established; content:"hardcore rape"; nocase; classtype:policy-violation; sid:2101318; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hot young sex"; flow:to_client,established; content:"hot young sex"; nocase; classtype:policy-violation; sid:2101315; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE naked lesbians"; flow:to_client,established; content:"naked lesbians"; nocase; classtype:policy-violation; sid:2101833; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE up skirt"; flow:to_client,established; content:"up skirt"; nocase; classtype:policy-violation; sid:2101313; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)



Title: Re: IDS/IPS Clarification needed
Post by: privateer on February 19, 2018, 04:03:33 pm

Quote from: hutiucip on February 19, 2018, 08:47:27 am

I don't use them ("inappropriate"), I use only p2p. Everything else I block by port or by DNS.

ok, i' finally going this way too. but now i have a little OT question: how do you handle different blocking profiles by DNS? i mean: i have 2 subnets, i would like have a very restrictive profile on subnet 1 (guests) and a more permissive one in subnet 2 (private lan)

Title: Re: IDS/IPS Clarification needed
Post by: elektroinside on February 19, 2018, 04:29:27 pm

You can use a custom DNS server and use that for the restrictive LAN, like Pi-hole.
Or, you can push the AdGuard DNS server sets to both, the Family Protection for the restrictive LAN, the other for the permissive one, and enforce the use of these on both LANs. Or any other filtering DNS servers out there. You can also block other external DNS servers (allow only the ones you configured). You got the details in the first reply of this thread.