Messages

1

Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply

« on: October 17, 2021, 01:02:55 pm »

@mb
Thanks for answering the topic.

With this understanding I restructured my zenarmor policies. In the end, I was able to implement what was important to me.

2

Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply

« on: October 15, 2021, 05:21:49 pm »

I deleted all IP addresses for now. Reported it as a bug in 1.10.

3

Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply

« on: October 15, 2021, 05:03:09 pm »

Its not the second interface (checked again). If I enable the WireGuard interface again, policy still matches.

It was the additional configured IP address for matching. Policy is matching only if I configure MAC addresses only.

4

Zenarmor (Sensei) / Zenarmor 1.10 MAC address for policy apply

« on: October 15, 2021, 04:49:22 pm »

Hi @mb,

thx for the possibility to match a policy by a client MAC address now.
But in my case it is not working. Defined a new policy with MAC addresses. But always the default policy would be assigned to the devices where the custom policy with the configured MAC address should match.

Update: It works now. I also had enabled the WireGuard interface before and one IP address configured. I removed  that IP address and the WireGuard interface. Now with only LAN and configured MAC addresses it works.

5

Zenarmor (Sensei) / Re: Additional platforms - how does that work?

« on: March 25, 2021, 08:51:20 am »

One short question about deployment. Is it also possible to use it in a bridged environment? This means I use a Sensei Linux/FreeBSD box inline (bridged between firewall and main switch)? I would like to use my existing firewall (right now not OPNsense) and switch. Or is it better to use the "routed mode"?

Stack:
Client --> Switch --> Sensei (bridge or routing mode) --> Firewall --> Internet

6

Intrusion Detection and Prevention / Re: Some ET rulesets emtpy

« on: February 12, 2020, 09:26:55 am »

From the level of protection in "etpro-telemetry" maybe the rules from botcc makes also sense.

They are updated regulary (changelog suggests that: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-02-12T00:21:07.txt ):
ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules)

Thx

7

Intrusion Detection and Prevention / Re: Some ET rulesets emtpy

« on: February 11, 2020, 04:28:20 pm »

I asked me the same. Would be great if someone could explain why these rules are empty.

From the documentation, the categories exists:
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

Documentation old? ETPro Rulesets/Categories old? I'm a little bit confused about the ET telemetry option now.

8

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 25, 2020, 08:29:48 am »

Have regularly messsages like this (1.3_1) (newest is top)

Code: [Select]

Jan 25 08:05:00 kernel: -> pid: 47971 ppid: 25978 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Jan 25 08:05:00 kernel: [HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (47971)] Suspension expired.
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.20.1) (interface: Guest[opt2]) (real interface: igb0_vlan20).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0_vlan20'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:08 opnsense: plugins_configure hosts ()
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.8.1) (interface: LAN[lan]) (real interface: igb0).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:08 kernel: igb0_vlan30: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan40: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan20: link state changed to UP
Jan 25 08:01:08 kernel: igb0: link state changed to UP
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for NoT(opt3) but ignoring since interface is configured with static IP (192.168.30.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for IoT(opt5) but ignoring since interface is configured with static IP (192.168.40.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:03 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:03 sshlockout[69152]: sshlockout/webConfigurator v3.0 starting up
Jan 25 08:01:03 kernel: igb0_vlan30: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan40: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan20: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0: link state changed to DOWN
Jan 25 08:01:03 kernel: pid 6147 (eastpect), uid 0: exited on signal 11

9

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 02, 2019, 09:51:41 am »

Hello @mb,

some small findings:

1. Filter on Policy Id  (from pie-graph -> Sessions Detail) in Reports (created a new policy before) shows only a rotating circle.
Home Edition bug?

2. Block a URL via Action from Reports -> Connections -> Live Session Explorer results in the following message:

Code: [Select]

Error
Could not find: msmetrics.ws.sonos.com
In Version 1.1 a new Category "Auto Blacklist Hosts" are created. In version 1.2 (Home Editon) the category would not be created. And message above appears.
Home Edition bug?

3. Under Reports -> Security -> Live Blocked Sessions Explorer the coulmn "source ip" (my LAN IPs) shows also the different country flags of the "Dest Hostname" coulmn.
General bug?

Edit: I also did a reset of the config and started from scratch. Same results.

Thanks

10

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: September 30, 2019, 10:34:18 pm »

Thx for the hint. Yes, if i mouse over a IP address in "Live Sesssions Explorer" they would be resolved now.

11

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: September 26, 2019, 01:51:00 pm »

Thx for the new version 1.0.3

"Reverse DNS lookups for local IP addresses" translates some IPs into names in "Sensei -> Reports -> Connectios" e.g.
But not all IPs are translated into there names. Manual reverse lookup of IPs via dig or nslookup are fine.

Do Sensei need more time for reverse lookups?

12

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 18, 2019, 01:58:09 pm »

After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)

13

German - Deutsch / Re: IPSec zu VPN Provider... wo NAT?

« on: July 16, 2019, 02:04:29 pm »

Man müsste das mal im Lab nachstellen. Nichts was ich auf einem produktivem System testen würde.

Lässt sich denn das Interface manuell in der /conf/config.xml unter <interfaces> hinzufügen?

Code: [Select]

    <opt3>
      <if>tun0</if>
      <descr>NordVPN</descr>
      <enable>1</enable>
      <spoofmac/>
    </opt3>

14

General Discussion / Re: NordVPN and ipsec config

« on: June 13, 2019, 10:34:45 pm »

You could try to add your NordVPN IPSec conf in:
/usr/local/etc/ipsec.opnsense.d/nordvpn.conf

No waranty. Be careful with routing.

15

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: May 15, 2019, 10:57:37 pm »

Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?