Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Bogotrax

Pages1 2
#1
German - Deutsch / Re: simples Firewall Tutorial
April 17, 2023, 10:27:30 PM
Besten Dank für die ausführliche Rückmeldung und die Unterweisung in die Grundlagen. Ich habe mir das Buch bestellt und werde mich einlesen. Ich wünsche noch einen angenehmen Abend!
#2
German - Deutsch / Re: simples Firewall Tutorial
April 17, 2023, 09:59:47 PM
Perfekt - das Problem ist behoben. Dank der Regel für Port 53 und UDP geht es jetzt. Danke!
Ich möchte wirklich niemanden auf den Schlips treten, sondern dazulernen. Ist den die Config sonst ok - also mit eingehend und ausgehend oder soll ich die eingehenden komplett rauslassen?
Eigentlich möchte ich so wenig wie möglich raus- oder reinlassen.
Kennst du denn ein gutes Tutorial?
#3
German - Deutsch / simples Firewall Tutorial
April 17, 2023, 07:57:23 PM
Hallo Leute,

ich bin mit meiner OPNsense jetzt auf eine Hardware umgezogen, die zwar performant genug ist, um mit OPNsense umzugehen und die Weboberfläche braucht nicht 5 Minuten, um umzuschalten zwischen den einzelnen Seiten, aber bei der grundlegenden Einrichtung der Firewall habe ich immer noch Probleme. Ich weiß nicht, ob es mangelndes Grundwisen und/oder Verständnis der Arbeitsweise von OPNsense ist, ich schätze beides. Ich bräuchte ein wirklich gutes Tutorial zur Einrichtung der Firewall regeln oder auch ein Udemy Kurs oder Ähnliches. Die youtube Tutorials sind alle relativ schlecht, habe ich den Eindruck und bei den Dokumentationen steige ich nach 5 Minuten lesen aus.

Der Aufbau meines Netzwerk ist recht simpel:
Code Select
      |  Gateway  |  (or Router, CableModem, whatever)
      '-----+-----'
            |
        WAN | IP or Protocol
            |
      .-----+------.   
      |  OPNsense  192.168.1.1/24
      '-----+------'   
            |
        LAN | 192.168.1.0/24
            |
      .-----+------.
      | LAN-Switch |
      '-----+------'
            |
    ...-----+------... (Clients/Servers)

Die Rules habe ich angehangen.
Davon abgesehen, dass mein Hintergrundwissen lückenhaft ist, irritiert mich am meisten, dass sobald ich UDP rausnehme bei den "pass"-Regeln, kein Webserver mehr erreichbar ist: Beispiel startpage.com
Ich dachte http und https gehen über das TCP Protokoll. Wozu ist dann UDP notwendig in dem Fall?
Soviel zu meiner konkreten Frage.

Ich hab auch WAN komplett ignoriert, weil ich dachte die Konfig am LAN reicht.

Besten Dank für die Rückmeldungen!

Bogotrax
Btw.: Gibt es einen Discord Channel für OPNsense?



https://postimg.cc/bdxcfTbh
#4
Intrusion Detection and Prevention / Re: suricata deaktivates itself
January 26, 2022, 02:35:55 PM
Thanks for the feedback. Could you find a solution to the problem? After I increased the RAM through swap the problem was seen less often. But in your case RAM definately doesn't seem to be the problem.
#5
Intrusion Detection and Prevention / Re: Error reconfiguring IDS: Error (1) / Hyperscan: Error installing ids rules (1)
January 20, 2022, 01:43:29 PM
Quote from: alexcccp on December 20, 2021, 02:31:50 AM
Exactly the same error, but IDS works.

the error disappears after deletion
rm -rf / usr/local/etc/suricata/

BUT!  >:(
IDS stops working immediately after enabling ClamAV + ICAP.

Where do you apply rm - is there a terminal through the webinterface where you can do this?
#6
Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection
January 20, 2022, 01:40:07 PM
Activated IPS with Aho-Corasick. So far so ok, although i have a new problem now:"Error reconfiguring IDS: error installing ids rules ()" when I "appy" new configuration to suricata. Is there a reset option for suricata or a way to apply the original settings or a way to reinstall suricata to make sure I don't get the error or a way to debug this?
#7
Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection
January 13, 2022, 07:03:32 PM
Thanks for your feedback. I need to run that through my head what are the options for me. I'll take a look at zenarmor. Seems like a fitting solution and less ram is something that sounds good to me. For more Ram, I'd need another APU or find an old PC to run opnsense on.
#8
Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection
January 13, 2022, 02:24:52 PM
Thanks alot for the input. I will run malwarebytes over it.
Meanwhile I have another thing that is bugging me:
I get those alerts for connection to a .biz and .cloud address that i would like to use the firewall on, if possible.
I already told suricata to drop them, but they keep on popping up, also having the flag to be "allowed" to pass through.
I am not the brightest bulb regarding firewall and suricata settings. I also can't run IPS instead of IDS because of memory.
Any idea how to setup the firewall that they don't popup?

Code Select
2022-01-13T13:47:52.698167+0100 2027863 allowed wan 192.168.0.2 4429 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.673658+0100 2027863 allowed wan 192.168.0.2 54846 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.653052+0100 2027863 allowed wan 192.168.0.2 48538 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.643888+0100 2027863 allowed wan 192.168.0.2 37436 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.623157+0100 2027863 allowed wan 192.168.0.2 13648 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.622745+0100 2027863 allowed wan 192.168.0.2 36422 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.612215+0100 2027863 allowed wan 192.168.0.2 33396 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.603882+0100 2027863 allowed wan 192.168.0.2 45495 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.583251+0100 2027863 allowed wan 192.168.0.2 35145 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.581649+0100 2027863 allowed wan 192.168.0.2 24309 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.569699+0100 2027863 allowed wan 192.168.0.2 62882 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.558900+0100 2027863 allowed wan 192.168.0.2 12915 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.552599+0100 2027863 allowed wan 192.168.0.2 43095 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.541694+0100 2027863 allowed wan 192.168.0.2 59307 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.527505+0100 2027863 allowed wan 192.168.0.2 35049 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.526289+0100 2027863 allowed wan 192.168.0.2 18341 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.525678+0100 2027863 allowed wan 192.168.0.2 22338 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.524232+0100 2027863 allowed wan 192.168.0.2 58652 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.523396+0100 2027863 allowed wan 192.168.0.2 37851 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.518676+0100 2027863 allowed wan 192.168.0.2 59472 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.484347+0100 2027863 allowed wan 192.168.0.2 24890 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.483929+0100 2027863 allowed wan 192.168.0.2 61148 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.481112+0100 2027863 allowed wan 192.168.0.2 19132 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.476844+0100 2027863 allowed wan 192.168.0.2 54645 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.476337+0100 2027863 allowed wan 192.168.0.2 17989 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.450989+0100 2027863 allowed wan 192.168.0.2 29572 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.450782+0100 2027863 allowed wan 192.168.0.2 62568 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.421765+0100 2027863 allowed wan 192.168.0.2 36385 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.421539+0100 2027863 allowed wan 192.168.0.2 30058 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.418944+0100 2027863 allowed wan 192.168.0.2 23849 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.418357+0100 2027863 allowed wan 192.168.0.2 44626 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.417421+0100 2027863 allowed wan 192.168.0.2 41847 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.416169+0100 2027863 allowed wan 192.168.0.2 61354 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.413759+0100 2027863 allowed wan 192.168.0.2 24896 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.381671+0100 2027863 allowed wan 192.168.0.2 11827 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.381330+0100 2027863 allowed wan 192.168.0.2 27976 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.379455+0100 2027863 allowed wan 192.168.0.2 9047 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.374545+0100 2027863 allowed wan 192.168.0.2 51799 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.363598+0100 2027863 allowed wan 192.168.0.2 47803 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.363274+0100 2027863 allowed wan 192.168.0.2 58848 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.362959+0100 2027863 allowed wan 192.168.0.2 18401 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.353066+0100 2027863 allowed wan 192.168.0.2 61134 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.352807+0100 2027863 allowed wan 192.168.0.2 14789 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.352078+0100 2027863 allowed wan 192.168.0.2 20751 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.351162+0100 2027863 allowed wan 192.168.0.2 29378 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:44.374404+0100 2027865 allowed wan 192.168.0.2 50580 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.351494+0100 2027865 allowed wan 192.168.0.2 22185 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.340358+0100 2027865 allowed wan 192.168.0.2 33704 205.251.194.208 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.320512+0100 2027865 allowed wan 192.168.0.2 49131 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.311792+0100 2027865 allowed wan 192.168.0.2 34742 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.859926+0100 2027865 allowed wan 192.168.0.2 56364 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.843627+0100 2027863 allowed wan 192.168.0.2 7824 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.842432+0100 2027863 allowed wan 192.168.0.2 18212 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.837147+0100 2027865 allowed wan 192.168.0.2 36600 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.805659+0100 2027865 allowed wan 192.168.0.2 12782 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.792593+0100 2027863 allowed wan 192.168.0.2 33311 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.792070+0100 2027863 allowed wan 192.168.0.2 32832 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.729668+0100 2027865 allowed wan 192.168.0.2 51040 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.685873+0100 2027863 allowed wan 192.168.0.2 33583 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.683009+0100 2027863 allowed wan 192.168.0.2 40436 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.666397+0100 2027865 allowed wan 192.168.0.2 5694 205.251.199.196 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.616205+0100 2027865 allowed wan 192.168.0.2 28638 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.573029+0100 2027865 allowed wan 192.168.0.2 16737 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:55.489059+0100 2027865 allowed wan 192.168.0.2 12554 205.251.193.216 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:54.393541+0100 2027865 allowed wan 192.168.0.2 55728 205.251.199.235 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:54.302682+0100 2027865 allowed wan 192.168.0.2 28844 205.251.194.57 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.885024+0100 2027865 allowed wan 192.168.0.2 17822 205.251.197.240 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.805721+0100 2027863 allowed wan 192.168.0.2 16216 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.715443+0100 2027865 allowed wan 192.168.0.2 61597 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.600341+0100 2027863 allowed wan 192.168.0.2 33149 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.597788+0100 2027863 allowed wan 192.168.0.2 21605 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.510345+0100 2027863 allowed wan 192.168.0.2 29033 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.508700+0100 2027863 allowed wan 192.168.0.2 37459 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.498303+0100 2027863 allowed wan 192.168.0.2 53948 176.97.158.110 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.435377+0100 2027863 allowed wan 192.168.0.2 18914 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.434980+0100 2027863 allowed wan 192.168.0.2 48285 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.433694+0100 2027863 allowed wan 192.168.0.2 64816 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.431939+0100 2027863 allowed wan 192.168.0.2 56089 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.357773+0100 2027863 allowed wan 192.168.0.2 39556 156.154.65.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.356476+0100 2027863 allowed wan 192.168.0.2 10883 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.247825+0100 2027863 allowed wan 192.168.0.2 57419 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.244866+0100 2027863 allowed wan 192.168.0.2 23116 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.202758+0100 2027863 allowed wan 192.168.0.2 45043 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.201651+0100 2027863 allowed wan 192.168.0.2 64633 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T12:43:02.231632+0100 2028651 allowed wan 192.168.0.2 20204 104.107.217.217 80 ET USER_AGENTS Steam HTTP Client User-Agent
2022-01-13T08:12:20.039878+0100 2027865 allowed wan 192.168.0.2 45769 173.245.59.112 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:12:19.980355+0100 2027865 allowed wan 192.168.0.2 31034 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:01.059268+0100 2027865 allowed wan 192.168.0.2 12516 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:01.029399+0100 2027865 allowed wan 192.168.0.2 21075 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.997556+0100 2027865 allowed wan 192.168.0.2 48293 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.969271+0100 2027865 allowed wan 192.168.0.2 43307 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.943702+0100 2027865 allowed wan 192.168.0.2 13811 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.185653+0100 2027865 allowed wan 192.168.0.2 20990 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.536582+0100 2027865 allowed wan 192.168.0.2 31047 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.499046+0100 2027865 allowed wan 192.168.0.2 17004 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.468826+0100 2027865 allowed wan 192.168.0.2 6574 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.446155+0100 2027865 allowed wan 192.168.0.2 29722 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.758026+0100 2027865 allowed wan 192.168.0.2 56337 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.740972+0100 2027865 allowed wan 192.168.0.2 44401 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.718528+0100 2027865 allowed wan 192.168.0.2 18045 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.696855+0100 2027865 allowed wan 192.168.0.2 53492 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.666341+0100 2027865 allowed wan 192.168.0.2 58501 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.624650+0100 2027865 allowed wan 192.168.0.2 48127 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.593363+0100 2027865 allowed wan 192.168.0.2 41994 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.575082+0100 2027865 allowed wan 192.168.0.2 52802 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:13.216627+0100 2027865 allowed wan 192.168.0.2 18912 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:13.190978+0100 2027865 allowed wan 192.168.0.2 9983 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.944523+0100 2027865 allowed wan 192.168.0.2 52128 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.867541+0100 2027865 allowed wan 192.168.0.2 45429 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.814128+0100 2027865 allowed wan 192.168.0.2 24806 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.396212+0100 2027865 allowed wan 192.168.0.2 6751 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.376644+0100 2027865 allowed wan 192.168.0.2 45504 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.346661+0100 2027865 allowed wan 192.168.0.2 5751 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.326686+0100 2027865 allowed wan 192.168.0.2 46673 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.308596+0100 2027865 allowed wan 192.168.0.2 60876 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.287799+0100 2027865 allowed wan 192.168.0.2 61439 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:04.681704+0100 2027863 allowed wan 192.168.0.2 28986 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD

Update: Malwarebytes couldn't find anything :/ Still thanks for your advice
#9
Intrusion Detection and Prevention / Re: Suricata still crashing ( please help )
January 04, 2022, 04:42:58 PM
Enough Ram? Mine just deactivated itself while eating itself up to 93% RAM usage. Enabling swap helped.
#10
Intrusion Detection and Prevention / Proper Ruleset for IDS and Firewall on following detection
January 04, 2022, 04:08:15 PM
Hello,

suricata spotted following potential thread on my newly setup windows machine. I just connected it and installed some rather not so interesting installs (steam and spotify) on it and it apparently detected the following
Code Select
2022-01-03T20:19:39.244220+0100 2028769 allowed wan 192.168.0.2 59688 34.199.180.185 443 ET JA3 Hash - [Abuse.ch] Possible Tofsee
2022-01-03T20:19:21.464036+0100 2008038 allowed wan 192.168.0.2 52559 34.199.180.185 80 ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS))
2022-01-03T20:18:20.113306+0100 2028769 allowed wan 192.168.0.2 20428 3.220.178.226 443 ET JA3 Hash - [Abuse.ch] Possible Tofsee

Can somebody brief me on what that potentially means, and which rules to apply on opnsense firewall. I am rather new to the whole thing and would like to go through some manuals, if somebody could point me towards the approximate passage.
Also, if there is any more suitable part of the board where to address the issue to, I'd be more than glad to get the right direction.
I can't enable IPS since my opnsense setup already chokes on IDS, while suricata is running, so much about that.
Does it look like I have to newly setup the machine and change all passwords or is this a meh message? I totally rely on external help here.

Thanks in advance.

Best,

Bogotrax
#11
German - Deutsch / Re: suricata deaktiviert sich (IDS /IPS) automatisch
December 29, 2021, 09:24:16 PM
Wieder was dazugelernt.
#12
German - Deutsch / Re: suricata deaktiviert sich (IDS /IPS) automatisch
December 29, 2021, 08:58:11 PM
In welchen Fällen siehst du denn eine Notwendigkeit?
Ich nutze WebRTC basierende Anwendungen in einer ansonsten mittelmäßig abgesicherten Umgebung und benötige mehr Informationen was da durchgeht, ohne WebRTC gleich dicht zu machen. Da ist mir jede Hilfe recht und billig.
Und ich lerne die Funktionen der Opensense-Umgebung gerne näher kennen. Softwareseitig habe ich bisher nichts gefunden, was entsprechend filtert bzw. kenne ich mich zu wenig aus.   
@ micneu Dann werd ich mich demnächst ans Backup machen.
#13
German - Deutsch / Re: suricata deaktiviert sich (IDS /IPS) automatisch
December 29, 2021, 05:35:09 PM
Das scheint mir etwas aufwendiger zu sein, als einfach nur ein Häckchen in der Webgui zu setzen. Gibts dazu einer Anleitung zur Auslagerung? Mir macht es nix aus, dass es langsamer läuft, hauptsache suricata deaktiviert sich nicht. Ich streame höchstens Musik als Privatanwender und da hat es bisher wenig bis kein Problem gegeben. Da muss ich sicher über die Serialverbindung und über die Commandline gehen. Ich glaub ich gucke, dass ich die Platte irgendwie geklont bekomme. Im Moment Scheinen 4 GB jedenfalls zu reichen (im Durchschnitt 3 GB Ram Verbrauch, ca 60 % CPU Auslastung bei 72.6 °Ĉ). Hat jemand Erfahrung mit der Angelegenheit?
#14
German - Deutsch / Re: suricata deaktiviert sich (IDS /IPS) automatisch
December 29, 2021, 03:19:39 PM
Danke an franco, der swap hats gebracht unter System -> Misc (/system_advanced_misc.php ist der "Pfad"). Reboot und mit der Swappartition läuft es stabil! Sind nur 2GB mehr, aber es läuft!
#15
General Discussion / Re: Swap Partition on OPNsense
December 29, 2021, 03:17:23 PM
Oh my god, it works - I am so happy. Thought about buying a "bigger" system the couple last days. You saved my small setup! Thanks a lot franco!
Pages1 2