Messages

"Enumerating badness" does not scale.

I love the way you put that :)
Unfortunately, creating block lists and adding signatures is a security-in-depth "thing" that is good to do—perhaps best practice is to do this additionally.

Breaking TLS is a bad idea but its done. Its one way(not the best way) to stop exfiltration and detect bad payloads that are encrypted.

"Enumerating badness" does not scale.

I love the way you put that :)
Unfortunately, creating block lists and adding signatures is a security-in-depth "thing" that is good to do—perhaps best practice is to do this additionally.

TLS is a bad idea but its done. Its one way(not the best way) to stop exfiltration and detect bad payloads that are encrypted.

Not a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.

What about an IDPS system would make it fundamentally flawed in concept?
Its less useful today due to TLS but if you can break the encryption (MITM) and pass that through to a IPS system that's the way to go.

Thats fair. It is summer holiday. Enjoy.
Talk to you later !

Can you provide the site?

Hey
So I ended up finding the issue. On pfsense there is a checkbox to configure logging for each routing protocol (log neighbor changes).
That is missing with the opnsense plugin - that checkbox.
The workaround is to go into the vtysh cli and configure it there but of course any reload of the plug-in wipes it out.
Long term solution is to update the plugin.
I've opened a GitHub request but it has stalled.

Let me start by saying all my IPsec Debug options are set to highest.

Problem: I noticed I do not receive any good logging as to why an IPsec tunnel is failing. I would expect to see PROPOSAL MISMATCH or NONE CHOSEN or its equivalent.
I have even purposely changed the IKE P1 details of one of my tunnels just to see if im getting that notification of why the tunnel is failing and i am not.

My IPsec > Log File is set to Notice.

I am on OPNsense 23.1.10_1-amd64

I have an existing Github ticket tracking this but i wanted to bring it to the forum as it may be a more appropriate place to troubleshoot

Background: Moving from a pfsense to an opnsense deployment. Currently in POC stage. Routing is done over an IPsec VTY with eBGP.  Routing neighborships do come up and i am able to route across.

Problem: I am not getting any protocol adjacency messages in the log. So for example if a neighbor bonces i should get the following message in the logs

bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsensePOC.xxyy) in vrf default Down Peer closed the session

This is useful for me as this is how i build my alerting system off of syslog.

I even switched to OSPF just to see if maybe there was something wrong in my bgp config but even there all ospfd messages are with severity Error.

Not only do those messages not appear I noticed today that all bgpd/ospfd messages are set at severity level Error. Just really strange stuff. All notifications related to routing are at the default and this isnt a logging issue per se. 
This was never seen in pfSense. Comparing of .conf files between both OSs show they are the same.


Dont mind sharing the config here.

Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname OPNsense
log syslog notifications
!
router bgp 65001
bgp router-id 192.168.50.254
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
bgp graceful-restart
no bgp network import-check
neighbor 172.28.0.5 remote-as 65002
!
address-family ipv4 unicast
  redistribute connected
  neighbor 172.28.0.5 activate
exit-address-family
!
address-family ipv6 unicast
  redistribute connected
exit-address-family
!
line vty
!
end

Because its so infrequent and unreliable there is no way to tell if Suricata is really working or not.
Are there other things its missing and refusing to alert on?
In my case, alerts arent being generated when i create traffic that should trigger especially when it triggers on other firewalls running Suricata.

Ive seen in past forum posts that people have had sucess changing the pattern matcher.
Right now changing pattern matching still doesnt produce alerts.
There is something not right with the Suricata package. ET SCAN rules always generate an alert on the WAN side. Yet...blank logs?

Changing the pattern matcher doesnt work.
Ive used so far
Aho-Corasick
Aho-Corasick, "Ken Steele"
HyperScan

There is absolutely no way the ET SCAN rule is not triggering on the WAN. Impossible.
I am even triggering LAN side alerts using the following from bash  'curl -A "BlackSun" www.google.com'
This always triggers on pfSense or when I span a port to my security onion instance.

As been mentioned in past post, there is something wrong with the Suricata package here. The fact its not picking up on any flow on known rules that trigger alerts indicates an issue with the implementation.

I see some past forum post where people changed from HyperScan to something else. Will change and update the forum with the results

Coming from an pfSense box running Suricata i know which rules would generate alerts on my network and which wont. Very consistent behavior.

Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.

Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.

I was changing log levels as part of testing to see if the logs produced in pfsense would be/should be the same in opnsense
So for example as a BGP neighbor bounce i should see the following in the logs

<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsenseFW.moore.home) in vrf default Down Peer closed the session

No matter what log level i use i cant seem to find that log. Comparing frr.conf files between opnsense and my working pfsense box the configurations for logging are similar.

Thanks Sy. Much appreciated.
Will be reaching out to the Zen team for those IPs now.