Messages

[big]

 ... do you really need direct coverage for them all?

vs pushing e.g. the IoT junk thru a proxy.

limit used to be 25, which truly *is* unworkable -- at the time, I nagged mb to get it to 50.

imo 100 for free is a big ask, they're a business after all ... with 50 at least there's marketplace parity with e.g. Sophos' free thing, so they had a competitive reason to match that.

maybe I'll be surprised and SV will bump it up higher, but I wouldn't hold my breath.

cheers,

R.

[suggested]

fyi @Farmserver ... @franco recently suggested that the LibreSSL build of OPNs is cranky with the Sensei repo rn; no ETA unfortunately.

yeah this is broken again  >:(

Code Select Expand

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:12:amd64/21.1/LibreSSL/latest/meta.txz: Not Found
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:12:amd64/21.1/LibreSSL/latest/packagesite.txz: Not Found
Unable to update repository SunnyValley
Error updating repositories!


Code Select Expand

% cat /usr/local/etc/pkg/repos/SunnyValley.conf
SunnyValley: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/SunnyValley",
  url: "https://updates.sunnyvalley.io/opnsense/${ABI}/21.1/LibreSSL/latest",
  signature_type: "fingerprints",
  priority: 7,
  enabled: yes
}


rPi's are super ridiculously cheap.

c'mon why make the fw jump thru blazing hoops just to avoid spending twenty bucks?

spin up a 2nd pihole instance 2nd pi, advertise both rPis as DNS in the client scopes, and never ever take down both for maint at the same time.

your edge fw should rewrite any outbound dns reqs that aren't *from* your pi stack to transparently hit your pi stack, or just block the reqs entirely so you have an easy canary for hunting down any clients that go rogue.

if you don't trust your ISPs resolvers (and in this day and age, who would?), nor trust any of the centrally-aggregating others not to sell you out (quad, goog, csco, open, comodo, etc), then make sure your pi uses only the roots, and be sure to set your fw to use only the pis too.

ps ... fwiw, handling any app-embedded direct DoH or DoT resolver horseshit is a whole other ugly conversation.

good luck

R.

anyone running 20.7 and sensei with chelsio 10gig (cxgbe) nics? good? bad?
thanks,
R.

[@mb]

thanks @mb

@admins, has Sensei grown enough to graduate to its own (sub)forum here? perhaps under the IDS category. :)

[for a device count that's realistic for the current era]

@chemlud, not to distract from your rhetoric ..... I can't tell whether it was aimed @mb for Sensei, at Sophos for XG, at Deciso for opnsense itself, at Google because Evil(™), or just at everything and everyone in general :)

that said, the free = product is exactly what we have with the etPro-telemetry IPS option plugin here already (for example).

it's a consensual, opt-in model, and the quid pro quo is user data, in exchange for a better sigset from the vendor. the (hopefully GDPR-compliant?) data being exfiltrated to ProofPoint serves as substitute for an exchange of fiat currency in the transaction.

getting back on-topic to the thread ...

for the case of Sensei for home users, while the proposed price point is viable for that market segment, the SOHO paid version in the present circumstance is worse than the free version, due to a device cap that's way too low. so low as to be unusable in practice for anything other than non-serious demonstration purposes.

home users inclined to pay at all won't have issues paying $99/yr for a device count that's realistic for the current era.

15 was alright for 2004.
50 is reasonable for 2019.

[lft]

lft is also nice to have (/usr/ports/net/lft)
looks like mtr's available by default, lft's not.
hrrrrumph.  :(

ps @brad -- suggest doing

Code Select Expand

make install clean instead, to keep things tidy  :)

[@mb]

@mb (again) .....

just saw the SOHO pricing, $99/yr is very competitive.

the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.

for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.

per the current structure, that would cost ~$1200/yr, which is completely unreasonable.

no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.

security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.

while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.

would you consider raising the paid SOHO plan limit to 50?

-- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).

LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)

thanks!

(likely a big thanks from everyone!!  :) )

[@mb]

@mb, yes I had to wipe the database.

question: now that there is data to review, I see some sites are miscategorized.

how would you like to deal with reporting that, so it can be corrected? e.g., centos mirrors being declared malware/virus; opensubtitles.org being declared warez; etc....

["An error occurred while report is being loaded!"]

hi, fresh install, and I'm getting a ton of 'index not found exception' errors, with a lot of sensei panels displaying a red error box.

"An error occurred while report is being loaded!"

details and log excerpt below.

thoughts?

thanks.

Code Select Expand

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "alert_all",
        "index_uuid": "_na_",
        "index": "alert_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "alert_all",
    "index_uuid": "_na_",
    "index": "alert_all"
  },
  "status": 404
}



-----8<-----{snip}-----8<-----
/usr/local/sensei/log/active

ipdr_streamer.log:2019-11-22T00:43:47.637231 response: {"took":0,"errors":true,"items":[{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}}]}

thanks!

Plan is 19.7.


Cheers,
Franco

hi Franco, this doesn't seem to be in 19.7, do you have a different plan for it?