Show Posts
1
Intrusion Detection and Prevention / Migrating from pfsense IDS to opnsense
« on: December 24, 2021, 02:24:32 am »
Hi all. I have recently moved from pfsense and appreciate all of the work done by the opnsense team!
I am running sensei, and also using suricata (services -> intrusion detection) as an IDS listening on LAN to look for problem machines and processes. I periodically review alerts looking for concerning patterns.
I am hoping you might share your preferred workflows for updating rules efficiently. Things I noticed
1. rules reload and restarts are slow and it's hard to know when things are finished without tail -f'ing the logs. This makes it slower when testing and tweaks.
2. I'm not sure on the ordering and interaction between policy, rule adjustments, admin -> rules and admin -> user adjustments. I have reviewed docs.opnsense.org/manual/ips.html and the two linked HOWTOs.
3. I often want to do quick allow/block-list updates. Where would you suggest doing that?
4. I have to go to /var/log for details on alerts. I know about the view option in the alerts tab (which shows up as an edit icon) but I'm not seeing priority, and it misses other information like the dns query target (rrname) which is in eve.log
I am running sensei, and also using suricata (services -> intrusion detection) as an IDS listening on LAN to look for problem machines and processes. I periodically review alerts looking for concerning patterns.
I am hoping you might share your preferred workflows for updating rules efficiently. Things I noticed
1. rules reload and restarts are slow and it's hard to know when things are finished without tail -f'ing the logs. This makes it slower when testing and tweaks.
2. I'm not sure on the ordering and interaction between policy, rule adjustments, admin -> rules and admin -> user adjustments. I have reviewed docs.opnsense.org/manual/ips.html and the two linked HOWTOs.
3. I often want to do quick allow/block-list updates. Where would you suggest doing that?
4. I have to go to /var/log for details on alerts. I know about the view option in the alerts tab (which shows up as an edit icon) but I'm not seeing priority, and it misses other information like the dns query target (rrname) which is in eve.log