Messages

Start here: https://forum.opnsense.org/index.php?topic=5595.msg22785#msg22785

"Call for Testing Suricata 4"

FWIW, I had a bit of trouble getting Transparent Firewall to work too. Although I eventually did get it to work with help from people here in the forum. Try searching on it.

Ultimately, I resolved the problem by abandoning my Asus AC-68U as my primary router and setting up OpnSense as primary. It took additional effort getting the various parental controls set up in Opn that were just a tick box on my Asus, but it's worth it for the IDS with VPN to work together and get full throughput. Asus just bogged down with VPN, let alone have advanced pf FW and IDS.

Mine showing updates 2017/08/13 1:00

Ran manually just now and showing 2017/08/13 19:28

Running 17.7 as Main Router, Suricata 4.0.0.

I had been having to reboot about 1-2x per day to recover connection - all bars green but no connection. I thought that simply what must be done.

Following this thread, I tried  Suri 3.2.2 - same reboot requirement, then reloaded 3.2.3 - same. Saw post above and realized my WAN is on an internal NIC and LAN on a PCIe NIC. Switched WAN to another PCIe NIC yesterday and haven't had to reboot since. This all with IPS and about half of the rules on. Now trying with VPN on - which has been a past issue.

Running for a day now.. Seems to be working similarly to 3.x. Smooth transition.

Just curious why someone would want to use an RPi3 for a serious application like what I think OPNsense is intended for. Eg. a single 100mb Ethernet port onboard, with wifi. The I/O will kill you for a small home lan. Granted, with the 4 USB you can pop on 2 USB/GB eth adapters to gain throughput and use the 10/100 for management, but the cost would jump up.

For a similar cost, there are several purpose-built dev boards that would have far better specs: http://espressobin.net/tech-spec/ $49 on Amazon, with 3 gb E (WAN & 2 LAN).

Not saying you're wrong, I have a RPi3 I tinker with, just curious on endgoal.

"You should not rely on Suricata alone for malware protection. Patch your internet connected systems." - Amen!

Done with those I have access to, but the BYOD crowd....

Thank you for the reply...

Yes, provided you have access to the machine or the user has applied the patch or the user can follow instructions to disable SMBv1.

I should have also stated before I posted I looked into simiply disabling SMB on the WAN in a FW rule, but SMB isn't listed as a protocol option in the new rule dropdown. Any suggestions on this? TIA

With Petya raging, do we need to add in new FW rules to block it or does the current abuse.ch and emerging threats rulesets include it? Reviewing the abuse.ch ransomware rules site does not comment on Petya.

For example, there is a suggestion on the Microsoft Security Blog that blocking ports 139 and 445, as well as disabling SMBv1 and/or installing security update MS17-010 on individual windows machines will prevent an infection. https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

But I wanted to see if either current rulesets or a custom rule would block it further upstream. I've located a SNORT ruleset that addresses Petya specifically from PTSecurity.com (https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759) reproduced below. But going through the motions is moot if current rules suffice.

Choices are 1) new FW rule blocking SMB ports and 2) custom Suricata rules based on the SNORT rules below.. 3) do nothing because its already managed.

Anyone have a better handle on this? TIA

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

Thank you Jos, for updating the Wiki!

Enable RAM disk? System - Settings - Miscellaneous - /var RAM Disk, /tmp RAM Disk

Running a quad i5 getting >100mb/s throughput with a huge number of Suricata rules and Geo-IP. 8gb Ram, 120gb SSD.

I also have firewall rules with Geo-IP alias defined and blocked, preventing them from ever getting to Suricata, reducing the stream volume to be scanned. Also have Hyperscan selected as recommended earlier.

Two thoughts... Are you shure you've changed the IPS rule from Allow to Block? Sorry if this is a basic question for you.

And, you could set up a China GEOIP blocking rule with a FW Alias and block there without neeting IPS.

Try taking it a step at a time and build on success.

Take the Netgear offline. Turn OpenVPN off. Get OpnSense working for internet access, with your firewall, security measures in place.

Then get OpenVPN working to your provider.

Then add the Netgear in as an access point/switch. It should not be providing any DHCP, but getting its IP from the OpnSense box. Ideally you have a switch that you can plug the LAN from OpnSense into, then other PCs and Netgear into the switch.  Remember to use a LAN port on the Netgear and not the WAN port. If you can, assign the WAN port to the LAN on the Netgear to get 1 more port on the Netgear LAN switch.

The suggestion above is a good one - shut the complexity down and let the OPnSense box serve DHCP for your network.

Hi M4DM4NZ,

Yep, for most gurus here this is probably a simple matter. Maybe some will take pity and point us in the right direction.

I took a good look at your post. The first reference (wretmo.se) has another reference for a pfSense setup at the bottom of their how-to, http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/. That how-to is doing exactly what I (and maybe you) want to do - address a VoIP issue. I'll be looking at that one in depth one evening when I have time to experiment.

Thank you for your post! If I have any success I'll follow-up.

Patch coming or wait for 17.1.5? TIA

I need to set up a system with a portion of the service routed through a VPN (OpenVPN) and another set of IPs routed to by-pass the VPN. Both routes should still be inspected by the pf firewall and Suricata. The How-To section of the Wiki doesn't expressly show an example of this. Is there another example of how this is performed that someone could point me to? TIA