Messages

@mb
Thanks for answering the topic.

With this understanding I restructured my zenarmor policies. In the end, I was able to implement what was important to me.

I deleted all IP addresses for now. Reported it as a bug in 1.10.

Its not the second interface (checked again). If I enable the WireGuard interface again, policy still matches.

It was the additional configured IP address for matching. Policy is matching only if I configure MAC addresses only.

Hi @mb,

thx for the possibility to match a policy by a client MAC address now.
But in my case it is not working. Defined a new policy with MAC addresses. But always the default policy would be assigned to the devices where the custom policy with the configured MAC address should match.

Update: It works now. I also had enabled the WireGuard interface before and one IP address configured. I removed  that IP address and the WireGuard interface. Now with only LAN and configured MAC addresses it works.

One short question about deployment. Is it also possible to use it in a bridged environment? This means I use a Sensei Linux/FreeBSD box inline (bridged between firewall and main switch)? I would like to use my existing firewall (right now not OPNsense) and switch. Or is it better to use the "routed mode"?

Stack:
Client --> Switch --> Sensei (bridge or routing mode) --> Firewall --> Internet

From the level of protection in "etpro-telemetry" maybe the rules from botcc makes also sense.

They are updated regulary (changelog suggests that: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-02-12T00:21:07.txt ):
ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules)

Thx

I asked me the same. Would be great if someone could explain why these rules are empty.

From the documentation, the categories exists:
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

Documentation old? ETPro Rulesets/Categories old? I'm a little bit confused about the ET telemetry option now.

Have regularly messsages like this (1.3_1) (newest is top)

Code Select Expand


Jan 25 08:05:00 kernel: -> pid: 47971 ppid: 25978 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Jan 25 08:05:00 kernel: [HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (47971)] Suspension expired.
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.20.1) (interface: Guest[opt2]) (real interface: igb0_vlan20).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0_vlan20'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:08 opnsense: plugins_configure hosts ()
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.8.1) (interface: LAN[lan]) (real interface: igb0).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:08 kernel: igb0_vlan30: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan40: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan20: link state changed to UP
Jan 25 08:01:08 kernel: igb0: link state changed to UP
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for NoT(opt3) but ignoring since interface is configured with static IP (192.168.30.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for IoT(opt5) but ignoring since interface is configured with static IP (192.168.40.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:03 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:03 sshlockout[69152]: sshlockout/webConfigurator v3.0 starting up
Jan 25 08:01:03 kernel: igb0_vlan30: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan40: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan20: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0: link state changed to DOWN
Jan 25 08:01:03 kernel: pid 6147 (eastpect), uid 0: exited on signal 11

Hello @mb,

some small findings:

1. Filter on Policy Id  (from pie-graph -> Sessions Detail) in Reports (created a new policy before) shows only a rotating circle.
Home Edition bug?

2. Block a URL via Action from Reports -> Connections -> Live Session Explorer results in the following message:

Code Select Expand

Error
Could not find: msmetrics.ws.sonos.com

In Version 1.1 a new Category "Auto Blacklist Hosts" are created. In version 1.2 (Home Editon) the category would not be created. And message above appears.
Home Edition bug?

3. Under Reports -> Security -> Live Blocked Sessions Explorer the coulmn "source ip" (my LAN IPs) shows also the different country flags of the "Dest Hostname" coulmn.
General bug?

Edit: I also did a reset of the config and started from scratch. Same results.

Thanks

Thx for the hint. Yes, if i mouse over a IP address in "Live Sesssions Explorer" they would be resolved now.

Thx for the new version 1.0.3

"Reverse DNS lookups for local IP addresses" translates some IPs into names in "Sensei -> Reports -> Connectios" e.g.
But not all IPs are translated into there names. Manual reverse lookup of IPs via dig or nslookup are fine.

Do Sensei need more time for reverse lookups?

After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)

Man müsste das mal im Lab nachstellen. Nichts was ich auf einem produktivem System testen würde.

Lässt sich denn das Interface manuell in der /conf/config.xml unter <interfaces> hinzufügen?

Code Select Expand

    <opt3>
      <if>tun0</if>
      <descr>NordVPN</descr>
      <enable>1</enable>
      <spoofmac/>
    </opt3>

You could try to add your NordVPN IPSec conf in:
/usr/local/etc/ipsec.opnsense.d/nordvpn.conf

No waranty. Be careful with routing.

Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?