Messages

1

Intrusion Detection and Prevention / ETPro Telemetry Token Re-use

« on: August 11, 2023, 04:45:27 am »

Hi All,

I have ETPro Telemetry installed on a single firewall and looking to install the rules on another firewall at a different location. Can I use the same token on both firewalls for activation or do I need to order another one?

Thanks!

2

Web Proxy Filtering and Caching / Re: Web Proxy - Pinger on by default?

« on: November 25, 2020, 03:01:28 am »

PR done, toggle is in the 20.7.5 patch 

3

Web Proxy Filtering and Caching / Web Proxy - Pinger on by default?

« on: September 25, 2020, 04:13:46 am »

Hi all,

I'll preface this by saying I'm not a Squid/pf expert, so happy to be corrected and educated.

• Is pinger in the squid package is on by default?
• Isn't pinger only really useful to configurations where the proxy is acting as a parent/peer?
• Is there a way to disable pinger?

I ask because I was trolling through my firewall logs and could not figure out why the firewall was sending echo requests only on WAN side from the "let out anything from firewall host itself" rule. These were going to most sites being visited, and I was surprised to see the domain names of the sites that were being visited in the ping packet data.

A bit of searching led me to pinger being responsible. I could not find a way to disable this in GUI so experimented by editing the squid.conf (adding 'pinger_enable off'). This did as expected and stopped the pings, but is obviously not a solution.

Am I missing something here in the configuration, or the way pinger works? I'm not using a parent proxy so in my (admittedly basic) understanding, this fits my firewall policy of 'if it's not required, turn it off'.

4

Intrusion Detection and Prevention / Re: snort rules useless?

« on: September 21, 2020, 12:07:13 pm »

Update - I put both snort and ET pro (telemetry) rules on then prodded it with nmap / nikto. Both snort and ET fired at different times, so they are working I was just impatient.

Hushcoden, I don't know the answer to that sorry, I would have thought just the WAN interface. Turn on the ET scan rules and you should pick up plenty of sip scans. The snort set doesn't generate as many alerts, at least for me.

5

Intrusion Detection and Prevention / Re: snort rules useless?

« on: September 15, 2020, 11:02:37 am »

After enabling all the snort rules; no alerts. I did a nmap scan which triggered both ET Open scan and PT research, but no snort. I have applied for the pro telemetry rules to compare. I'm wondering, does anyone know if there are any tweaks needed to suricata to get the snort rules working, or is it not worth it?

6

Intrusion Detection and Prevention / Re: snort rules useless?

« on: September 14, 2020, 01:54:33 pm »

Sorry to bring back a post from long ago. I'm new to Opnsense and found this from google so thought I'd add a comment. I had the same experience (no snort rules triggered with the VRT ruleset, even when many are installed and enabled). There are around 100 rule loading errors, and the ET Open rules fire on mostly IP based rules so the install is ok. There are Snort VRT / Suricata 5 compatibility issues but to what extent I have not yet investigated. I have now enabled nearly every snort rule (except appID and deleted) to see the if it triggers alerts. Also intending to take a look at the ET Pro telemetry edition to see if there is any difference.

In general, if you are not going to be doing SSL decryption (but assuming you are using the web proxy and SNI) are any of the IDS rulesets worth having? I'm mostly interested in seeing IoC on any of the IoT devices, as well as keeping the bots to a minimum.