Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - raid3868

Pages1
#1
Intrusion Detection and Prevention / IDS rules updated and send email ( Monit )
April 12, 2022, 10:03:00 AM
Hi,

Anyone know how to configure monit to send alerts after IDS rule is updated. I have configured monit and able to send alerts when blocked detected. It work without any issue but can't find anyway to configure IDS rules update and send email. Cause it requests by our external auditors and our customer. Any please help.

Tks
#2
Intrusion Detection and Prevention / Re: Intrusion Detection and Prevention when idle WCPU at 14%-15%
December 24, 2021, 04:38:49 AM
Sorry for late reply just revisit the forums

What i do is, before upgrade i put a lock at the package suricata v5.0.7 so it will not upgrade to latest version. than i use command opnsense-revert -r 21.7.3 opnsense revert back to 21.7.3 So i can implement into production use.

I can looking to purchase the businesses version but i m not sure what version of suricata. Cause no way to test unless you purchase. Business edition is 2.10 don't know suricata cpu effect. Very to make decisions cause have to take responsibility if purchase on behalf of company. Just sad unable to get any confirmation.

i have been testing for quite sometime with opnsense, if implement for company need a stable system.

Tks
#3
21.7 Legacy Series / Re: Intrusion Detection
December 17, 2021, 05:14:20 AM
I found the issue. fix it don't is the right way, but suricata WCPU idle 1.3%-1.5%
#4
Intrusion Detection and Prevention / Re: Intrusion Detection and Prevention when idle WCPU at 14%-15%
December 17, 2021, 05:13:18 AM


I found the issue. fix it don't is the right way, but suricata WCPU idle 1.3%-1.5%
#5
Intrusion Detection and Prevention / Intrusion Detection and Prevention when idle WCPU at 14%-15%
December 17, 2021, 02:15:01 AM
Dear expert,

I have enable the IDS/IPS, when i ssh to my opnsense then top it show WCPU always consume 14%-15%, without any traffic. Is this normal when enable IDS/IPS?

    PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
63648 root                7  20    0       672M   311M nanslp   2   1:48  14.21% suricata


HOST DELL 740xd 20 CPUs x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz RAM 128 GB

Opnsense is vmguest with 8 vcpu and 16GB ram
network interface
10GB - internal with 2 vlan
1GB - external (WAN)

OPNsense 21.7.6-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021


ids/ips configuration
------------------------
IPS mode=enable
Promiscuous mode=enable
Pattern matcher=Hyperscan
Interfaces=LAN
Rulesets=ET telemetry
Policies= All ET telemetry rulesets = alert and drop

log file show:
2021-12-15T16:45:43   suricata[63648]   [100369] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.


Tks

Hi

Today i do a clean install.
install iso download from opnsense site, OPNsense-21.7.1-OpenSSL-dvd-amd64.iso.
after configure everything necessary then configure Intrusion detection downlaod all policy and configure as previous. start IDS. check at console command top.

suricata WCPU = 0.13%-0.17% ( something around this ) Look ok with this cpu usage.

Then i update to the latest OPNsense 21.7.7-amd64 reboot
check at console command top

suricata WCPU = 13%-15% i think something wrong with the latest update.


Anyone with this issue?

Please help tying to put into production to replace current cyberoam.

tks

hi

I try to revert to 21.7.3 problem still the same.
using this command opnsense-revert -r 21.7.3 opnsense

suricata WCPU = 13%-15%

No luck, do someone know what is happening? Or is like this when IDS/IPS is enable.

Do anyone know business edition have the issue?

Any know how to restore without restoring ids/ips configuration. i would like do a factory reset but do not want to restore the IDS/IPS configuration.


Tks

Anyone please help if business edition will have this issue or this is normal when idle is suricata will tale WCPU 14%-15%?

anyone please comments. tks
#6
21.7 Legacy Series / Re: Intrusion Detection
December 16, 2021, 09:52:38 AM
hi

I try to revert to 21.7.3 problem still the same.
using this command opnsense-revert -r 21.7.3 opnsense

suricata WCPU = 13%-15%

No luck, do someone know what is happening? Or is like this when IDS/IPS is enable.

Do anyone know business edition have the issue?

Any know how to restore without restoring ids/ips configuration. i would like do a factory reset but do not want to restore the IDS/IPS configutation.


Tks
#7
21.7 Legacy Series / Re: Intrusion Detection
December 16, 2021, 07:03:54 AM
Hi

Today i do a clean install.
install iso download from opnsense site, OPNsense-21.7.1-OpenSSL-dvd-amd64.iso.
after configure everything necessary then configure Intrusion detection downlaod all policy and configure as previous. start IDS. check at console command top.

suricata WCPU = 0.13%-0.17% ( something around this ) Look ok with this cpu usage.

Then i update to the latest OPNsense 21.7.7-amd64 reboot
check at console command top

suricata WCPU = 13%-15% i think something wrong with the latest update.


Anyone with this issue?

Please help tying to put into production to replace current cyberoam.

tks


#8
21.7 Legacy Series / Intrusion Detection
December 15, 2021, 10:07:16 AM
Dear expert,

I have enable the IDS/IPS, when i ssh to my opnsense then top it show WCPU always consume 14%-15%, without any traffic. Is this normal when enable IDS/IPS?

    PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
63648 root                7  20    0       672M   311M nanslp   2   1:48  14.21% suricata


HOST DELL 740xd 20 CPUs x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz RAM 128 GB

Opnsense is vmguest with 8 vcpu and 16GB ram
network interface
10GB - internal with 2 vlan
1GB - external (WAN)

OPNsense 21.7.6-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021


ids/ips configuration
------------------------
IPS mode=enable
Promiscuous mode=enable
Pattern matcher=Hyperscan
Interfaces=LAN
Rulesets=ET telemetry
Policies= All ET telemetry rulesets = alert and drop

log file show:
2021-12-15T16:45:43   suricata[63648]   [100369] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.


Tks

#9
Intrusion Detection and Prevention / Intrusion Detection Exclude IP
July 02, 2020, 03:39:49 AM
Dear all

I would like to ask is opnsense Intrusion Detection can exclude ip. Example i have a mail gateway with internal ip and i would to excluded from IPS/IDS so it will not scan traffic to mail gateway. So it will not break any traffic to mail gateway.

Or can i use Service:Intrusion Detection:Administration:User Defined

Enabled
Source IP: any
Destination IP: <mail gateway IP>
SSL/Fingerprint : <blank>
Action: Pass

This can work ?

OPNsense 20.1.7-amd64

Tks
#10
General Discussion / Re: Opnsense VLAN + cisco switch
May 12, 2020, 06:39:34 AM
Thank guy,

I have make it work. ;D ;D

Thank you
#11
General Discussion / Opnsense VLAN + cisco switch
May 11, 2020, 08:24:27 AM
Dear all

I need hep for setting opnsense + cisco switch.

                                 192.168.1.254
Internet wan <----> opnsense 20.1.6 <----> Lan Cisco switch
                                                    vlan 81
                                                    vlan 10

setup at cisco switch 8 port
vlan 81
vlan 10
vlan 1 (default )

vlan1
GE1(VLan81)               Trunk  Excluded
GE2(VLan10)               Trunk  Excluded
GE4                               Trunk   Untagged
GE5                                Trunk  Untagged
GE6                                Trunk  Untagged
GE7                                Trunk  Untagged
GE8                                Trunk  Untagged  ---> Link to opnsense Lan port

vlan81
GE1(VLan81)               Trunk  Tagged
GE2(VLan10)               Trunk  Excluded
GE4                                Trunk  Excluded
GE5                                Trunk  Excluded
GE6                                Trunk  Excluded
GE7                                Trunk  Excluded
GE8                                Trunk  Tagged  ---> Link to opnsense Lan port

vlan10
GE1(VLan81)               Trunk  Excluded
GE2(VLan10)               Trunk  Tagged
GE4                                Trunk  Excluded
GE5                                Trunk  Excluded
GE6                                Trunk  Excluded
GE7                                Trunk  Excluded
GE8                                Trunk  Tagged  ---> Link to opnsense Lan port


For Opnsense

Interfaces-->Other Types--> VLAN and create vlan 81 and vlan 10
Then
Interfaces-->Assignments and asign vlan 18 and vlan 10 to Lan
then
Interface vlan81 and asign ip 192.168.3.254/24
interface vlan10 and asign ip 192.168.4.254/24
after save all

Firewall --> Rules
V81 add rules
Protocol   Source   Port   Destination   Port   Gateway
IPv4*              V81 net  *               *                     *              *
save and enable rule
V10 add rules
Protocol   Source   Port   Destination   Port   Gateway
IPv4*              V10 net  *               *                     *              *
save and enable rule

i do not use dhcp so i put fix ip at my laptop and connected to cisco switch GE1 Ip 192.168.3.10/24
also put fix ip at my laptop and connected to cisco switch GE2 Ip 192.168.4.10/24

But still cannot connect internet. Any step is doing wrongly?
For vlan1 i can connect internet and ping firewall.

What i have missed. please help Thank you very much



Pages1