Messages

1

Intrusion Detection and Prevention / Re: Manualy import rulesets

« on: March 15, 2019, 01:03:59 pm »

I'm using OpnSense 18.7.10 (haven't upgraded yet due to the kernel panic issue).

There the Suricata rules are stored in these two folders:

/usr/local/etc/suricata/rules/
/usr/local/etc/suricata/opnsense.rules/

Not sure if  both are needed...

I also add my custom rules files names to /usr/local/etc/suricata/installed_files.yaml

2

18.7 Legacy Series / Re: 18.7.10 and Suricata

« on: January 22, 2019, 12:28:38 pm »

For me it was the same, almost all alerts disappeared when I upgraded to Suricata 4.1.2. I found that the OISF/suricata rules disappeared when I upgraded. That rules set makes a lot of noice especially if you have the STREAM rules enabled, but many of them I find very useful.

Some rules didn't load properly with 4.1.2 when I downloaded them manually, so I added my own STREAM rules based on the rules in that rules set.

The OISF/suricata rules can be found here:
https://github.com/OISF/suricata/tree/master/rules

3

18.7 Legacy Series / Re: 18.7.10 Suricata 4.1.2 GeoIP

« on: January 14, 2019, 10:41:54 am »

We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now...


Cheers,
Franco

Super, thanks franco! Migration done!

4

18.7 Legacy Series / Re: 18.7.10 Suricata remove rules

« on: January 14, 2019, 10:08:08 am »

Hi,

I found that to remove the rules you have to delete them manually in:

/usr/local/etc/suricata/opnsense.rules/

When I remove them through the web GUI it only removes the copy of rules inside /usr/local/etc/suricata/rules/.

Then restart suricata and the deleted rules should be gone from the list in the web GUI .

5

18.7 Legacy Series / Re: 18.7.10 Suricata 4.1.2 GeoIP

« on: January 14, 2019, 09:21:20 am »

Thanks for the info! I will use firewall for geoblock then:-)

6

18.7 Legacy Series / Re: 18.7.10 IP blocklist

« on: January 14, 2019, 09:18:29 am »

Thanks for the tip! I will try that.

7

18.7 Legacy Series / Re: 18.7.10 IP blocklist

« on: January 14, 2019, 07:16:08 am »

Thanks, I have done that for the most intrusive ones earlier, but I have a list with over 9000 IP addresses.

I tried to add them directly in the config.xml file, but then I can't open that alias in the webb GUI.

8

18.7 Legacy Series / 18.7.10 Suricata 4.1.2 GeoIP

« on: January 13, 2019, 10:25:03 pm »

Hi

Anyone else having problems with geoip rules in Suricata 4.2.1? Every time I try to load a rule with geoip Suricata throws an error...

9

18.7 Legacy Series / 18.7.10 IP blocklist

« on: January 13, 2019, 10:23:31 pm »

Hi

I'm wondering if there any way to add a list of IP addresses to the firewall blocklist?

10

18.1 Legacy Series / 18.1.4 IDS Alerts

« on: March 13, 2018, 10:47:10 am »

Don't know if this is the right section to drop this...

When I look at Alerts in the IDS section it always says:

'Showing 1 to 7'

no matter of how many I 've chosen to view. In the example attached there are 49 alerts being shown.

11

Intrusion Detection and Prevention / Re: Snort rules v3

« on: February 20, 2018, 11:38:21 am »

Yes, I got these errors (and a bunch more...):

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4199

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

All of them had the [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]

12

Intrusion Detection and Prevention / Snort rules v3

« on: February 20, 2018, 11:20:13 am »

Hi,

I'm using OpnSense 18.2_2. I've been using snort rules set snortrules-snapshot-29111.tar.gz for a while now and all has been fine.

When downloading the new snort rules set snortrules-snapshot-3000.tar.gz no snort rules load. If I look at the download page they seem to be downloaded fine, but looking at the rules tab no snort rules appear. So my question is: Are the new rules not compatible with Suricata, anyone know?

13

18.1 Legacy Series / Re: 18.1 IDS rules not updating

« on: January 31, 2018, 04:03:20 pm »

I can confirm, that it's not possible to manually download the rules. I had to install a fresh opnsense 18.1 after trying to update via GUI from 17.7.
Then I tryed to download the IPS rules, but nothing happens.

Did you try the quick fix:

Code: [Select]

pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/17.7/latest/All/py27-openssl-17.3.0.txz
Worked for me:-)

14

18.1 Legacy Series / IDS rules

« on: January 31, 2018, 03:51:14 pm »

Hi,

I would like to come with a suggestion for the IDS rules page:

To add another filter, enabled/disabled rules

That would make it so much easier to find the disabled rules within a huge rules class type (like trojan-activity).

15

18.1 Legacy Series / Re: 18.1 IDS rules not updating

« on: January 30, 2018, 10:52:21 am »

I finally got all the rule sets down after a few more go's.

Thanks for the help!