OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: zaggynl on October 05, 2018, 09:10:52 pm

Title: Challenge: Alert on Firewall block - is this possible currently?
Post by: zaggynl on October 05, 2018, 09:10:52 pm

So first I tried setting up IDS with GeoIP block of Traffic to China and Russia, no blocking or alerts happened with Intrusion Detection and IDS enabled.

Made a Firewall LAN rule that blocks outgoing traffic to GeoIP of China and Russia.
That blocks, yay!

As for alerts:
I've setup a Monit Service Test with:

content = " 84,,, "

Which is the number of the rule used as found out by:

ping rutube.ru, resolves to: 185.165.123.77

cat /var/log/filter.log | grep 185.165.123.77
or
grep " 84,,," /var/log/filter.log

Oct  5 20:26:56 router filterlog:
84,,,0,igb0,match,block,in,4,0x0,,64,24176,0,DF,1,icmp,84,192.168.1.228,185.165.123.77,datalength=64

I've set up a Service like so:

Type: File
Path: /var/log/filter.log
Test: <name of Monit Service Test>

No alerts appear in my mailbox, I do see the message that Monit restarted.
Status page of Monit also shows no content matches
What am I missing?

Sources I looked at:

https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST
https://forum.opnsense.org/index.php?topic=5303.0

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: nospam on October 06, 2018, 04:35:50 pm

IDS -> User Defined -> Add Rule

GeoIP/Country: your blacklist here
GeoIP/Direction: Source
Action: Drop

Then Apply

Works for me and events get logged under IDS -> alerts

I personally wouldn't want email alerts for this unless you want to watch a flood of emails choke your inbox

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: zaggynl on October 07, 2018, 08:05:30 pm

Thanks for the reply, I tried below settings but a ping to for example rutube.ru does not get blocked by IDS, whereas it does with Firewall rules:

(http://i.imgur.com/HIoB1dQ.png)

(http://i.imgur.com/TNxCcIe.png)

(http://i.imgur.com/C0nc01v.png)

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: zaggynl on October 12, 2018, 03:02:20 pm

bump

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: nospam on October 12, 2018, 03:55:35 pm

Under Interfaces I have LAN only and ENABLE SYSLOG ALERTS
Under GeoIP/Direction I have SOURCE

PING rutube.ru (185.165.123.77): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

PING 185.165.123.1 (185.165.123.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Is your Intrusion Detection service running? Check under dashboard

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: zaggynl on October 13, 2018, 12:17:45 pm

Changed IDS settings to below, enabled syslog alerts, changed interfaces to LAN only
(http://i.imgur.com/Y85rJcB.png)

Dashboard shows Suricata running:
(http://i.imgur.com/Wns8p8f.png)



Ping stats look weird:
Rutube.ru

Code: [Select]

64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=1 ttl=57 time=851 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=2 ttl=57 time=9.70 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=1 ttl=57 time=1853 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=9.53 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=70.9 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=941 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=4 ttl=57 time=9.74 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=1161 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=4 ttl=57 time=953 ms (DUP!)
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=3 ttl=57 time=2319 ms (DUP!)
Google DNS:

Code: [Select]

64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=2.76 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=1344 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=11 ttl=122 time=2679 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=903 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=14 ttl=122 time=2.76 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=2156 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=1160 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=12 ttl=122 time=2394 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=11 ttl=122 time=3779 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=13 ttl=122 time=1802 ms (DUP!)
Edit: 
Ping results returned to normal after disabling IDS:

Code: [Select]

64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=38 ttl=57 time=10.1 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=39 ttl=57 time=9.57 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=40 ttl=57 time=9.62 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=41 ttl=57 time=9.66 ms
64 bytes from 185.165.123.77 (185.165.123.77): icmp_seq=42 ttl=57 time=9.74 ms

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: nospam on October 17, 2018, 02:30:43 pm

Try either a reset to defaults or re-install everything from scratch.  Something isn't right on your system.

Title: Re: Challenge: Alert on Firewall block - is this possible currently?
Post by: zaggynl on October 18, 2018, 10:20:24 pm

-Backed up config
-Reset to defaults
-Restored config
-no more duplicate pings but still no IDS warnings or blocking