Messages

1

Intrusion Detection and Prevention / Re: IDS detection unreliability, not sure why - new user.

« on: April 26, 2020, 05:40:13 am »

Here is example of the opnsense failing to detect packets for enabled rules.

the connection is ONT <> opsense in transparent bridge <> UDMP in NAT router.

both are doing IDS not IPS.

https://imgur.com/PzChBHk
https://imgur.com/DhWyA17

2

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 21, 2020, 09:31:17 pm »

As someone who used to be the product manager for RDP please never expose RDP ports (be it 3389 or random port) directly to the internet and NEVER turn off NLA option.

There are whole classes of DoS attacks possible with NLA turned off that cannot be mitigated.
And multiple theoretical attack surfaces. With NLA turned on things are several orders of magnitude more safe, that said i would recommend the use of either use RD Gateway to terminate RDP and offer outside as HTTPs.
Or a VPN or some other proxy solution like azure proxied apps where there is additional layer of MFA auth.

(and i am talking as someone who happily exposes HTTPS web UI's externally that one shouldn't (Unifi, Synology). so that should give you an idea of just how risky RDP is)

3

Intrusion Detection and Prevention / Seach not working properly in IPS rules view

« on: April 21, 2020, 07:00:16 pm »

I want to search of term "ET WEB_SERVER"

ET WEB_ works (and i see WEB_SERVER entries), but as soon as i add the S it says no results.

Is this a known issue?

4

Intrusion Detection and Prevention / Re: IDS stopped working, not sure why - new user.

« on: April 21, 2020, 06:58:10 pm »

Ok, i think there are several things going on here that are contributing to breaks / unreliability

1. i have yet to verify but I think sensi modified the bridge and stopped IPS working - i tore down sensi, reset and reinstalled suricata and deleted and re-created the bridge - that helped.
2. I had poorly formed 'ANY' firewall rules on BR0, LAN and WAN.  Removed WAN and LAN rules and created inbound and outbound rule on BR0 correctly.

This has increased detection, but it is still unreliable, for example if I use the "for i in {1..10}; do curl testmyids.com; done" command it generates maybe one or two alerts in inline opnsense (between CM and router). 

Whereas my routers IPS detects all 10.

Not sure where to start to troubleshoot? 

5

Intrusion Detection and Prevention / Re: IDS stopped working, not sure why - new user.

« on: April 21, 2020, 06:18:49 am »

Today I noticed that suricata was detecting threats directed to the WAN interface (rather than the bridge which is made up of LAN / WAN) QED suricata is still working

Maybe i don't understand how the allow logging works - does it log only once per signature per host - no matter how many times that signature it is hit?

6

Hardware and Performance / Re: Slow Transparent Bridge?

« on: April 20, 2020, 07:45:07 pm »

I agree with what you said.

I had to get frontier FTTH installed last week due to the packet loss i was seeing comcast for the last month.  Though they would only sell me 100mbps.

Embarrassedly i have to admit the speed issue looks like it was my fault :-(

My testing PC 1gb mobo card suddenly started only doing 250mbs - i cant figure out why.  I switched to my 10g card with dac and got full 900mbps+

I have a crappy excuse, i had waay too many moving pieces yesterday (changed cable mode, setup untangle, realized it couldn't do transparent bridging, discovered opnsense, installed it for first time, locked my self out of an msata drive, etc).

When i get some time i will figure out the speed issue on the mobo nic.  it was working ok 48 hours ago.... i wonder if windows did an update....

7

Intrusion Detection and Prevention / IDS detection unreliability, not sure why - new user.

« on: April 20, 2020, 06:43:50 pm »

Hi I am new, so bear with me if i seem extra stupid.

I installed opnsense yesterday for first time, configured for transparent bridging.
I installed the intrusion detection service and tested with www.testmyids.com and got an alert, yay!

I then installed: ET Pro Telemetry ruleset, Snort VRT registered rule set, PT rule set and Sensi (in experimental bridge mode).

I turned off sensi when I saw it was giving me a 50% throughput hit on my 1gig connection.

Now when i go to www.testmyids.com it isn't generating any alert events and I am unsure why.
Any suggestions?

8

20.1 Legacy Series / Re: Management on Second Interface

« on: April 20, 2020, 09:26:24 am »

I set up opnsense for the first time ever today, in transparent bridge mode (where LAN and WAN are bridged).

Took me ages to work out that I had to set an IPv4 inbound firewall rule on OPT2 where source was OPT2 Network and rest was ANY.

9

Intrusion Detection and Prevention / Re: Snort Rules - not installed

« on: April 20, 2020, 09:09:28 am »

Changing to snortrules-snapshot-29160.tar.gz fixed this for me.

10

Hardware and Performance / Re: Slow Transparent Bridge?

« on: April 20, 2020, 03:45:49 am »

Ignore me, I just pulled the device back onto my LAN so it is between my PC and the rest of the network - getting 980mbps to an internal HTML speed test docker container on my NAS.

Seems comcast/xfinity let me down again :-(

11

Hardware and Performance / Slow Transparent Bridge?

« on: April 20, 2020, 02:37:50 am »

Hi,

New here, new to opnsense, so please bear with me if I ask stupid questions.

I was seeing if I could use opnsense as a transparent bridge between my cable modem and  NAT/router. and have suricata running to do intrusion detection (not prevention).

I have it working based on these instructions https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

I have not yet enabled the IPS service, and my gig connection has been slowed to ~250mbps.
The CPU has not gone above 40%, I have memory headroom.

My CPU is my rather old box is Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores) and running OPNsense 20.1.4-amd64

Could you help me understand why it is this slow (is it expected) and if it isn't expected what i can do to troubleshoot or improve?