Messages

Hi,

Case: Someone triggered a IDS rule on my Suricata list. Suricata blocks this connection.

=> Since we know the IP that got blocked, is there an (semi) easy way of adding this blocked IP to a custom block list that then can be used in firewall rules?

Thanks!

Hi,

Thanks for Your reply!

I have heard about zenarmor, perhaps I need to give it a spin.

Thanks!

EDIT: Zenarmor seems like an alternative to Unbound DNS or Adguard, not really what I was looking for.

Alright, a bit of discussion with myself here but perhaps if someone else stumbles upon this same "issue".

It seems, that this has nothing todo with OpnSense or Suricata in anyway but more how the loaded nmap rules are configured to react upon payload.

Code Select Expand

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)


So - the keyword here is the object $EXTERNAL_NET and flow of the traffic to $HOME_NET. That is; this particular rule will only trigger if the flow is from WAN to LAN (or WAN if you have WAN defined as your Home Network).

Interesting though, that this rule was triggered when I had Home Network as 192.168.1.1/32 but not 192.168.1.1/24. Perhaps also a bit stupid that the traffic flow is "hard coded" into the rule but different discussion and can not complain since it is free. It would make more sense to have IDS/IPS based on firewall rules (i.e. apply this IPS profile to this rule).

There are probably a lot of rules working as the one above, which kind of defeats the purpose of IPS if one is already blocking everything incoming.

Has anyone tackled this with somehow and if yes - how? Do you have manual rules somehow and replace $EXTERNAL_NET with $HOME_NET?

Hi,

If anyone could point me in the right direction how-to setup IDS/IPS properly on OpnSense, it would make my day. I still can not understand how I can not get IDS/IPS detections to alert or block consistently.

Thanks!

EDIT:

Just to be clear, IPS is working on WAN if I enable it also on WAN interface and add my WAN IP to Home networks. Feels kind of pointless to run IPS on WAN since I already block everything with firewall rules. On the LAN though, I would be interested in if anyone is doing shady stuff.

Code Select Expand


2024-01-19T11:36:09.999708+0200 2009582 allowed WAN xxx.148.72.192 47613 91.155.xxx 3389 ET SCAN NMAP -sS window 1024
2024-01-19T11:36:02.220004+0200 2500010 allowed WAN xxx.19.24.23 53734 91.155.xxx 8080 ET COMPROMISED Known Compromised or Hostile Host Traffic group 6
2024-01-19T11:34:47.667573+0200 2009582 allowed WAN xxx.94.95.226 56852 91.155.xxx 8080 ET SCAN NMAP -sS window 1024
2024-01-19T11:33:40.068103+0200 2009582 allowed WAN xxx.94.95.226 56808 91.155.xxx 8443 ET SCAN NMAP -sS window 1024
2024-01-19T11:33:40.068103+0200 2400003 allowed WAN xxx.94.95.226 56808 91.155.xxx 8443 ET DROP Spamhaus DROP Listed Traffic Inbound group 4


Hi,

I have Suricata enabled on two LAN interfaces;
eth1: 192.168.1.0/24
eth2: 192.168.100.0/24

I'm only running IDS/IPS on LAN interfaces eth1 and eth2 (not monitoring wan since I have everything incoming blocked).

I'm running all nmap scans below from 192.168.1.156 with gateway 192.168.1.1 mask /24

[CASE-1]
- Home networks = 192.168.1.0/16
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

[CASE-2]
- I have "Home networks" configured as 192.168.1.0/24
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

[CASE-3]
- I have "Home networks" configured as 10.0.0.0/24
- IPS mode = enabled
- Promiscuous mode = enabled
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.15 or 192.168.1.1, I get no alerts/blocked in "Alerts"  tab logged.

In Log file when I do a IPS restart, I can see the following:

Code Select Expand


2024-01-16T11:07:53 Notice suricata [100103] <Notice> -- all 16 packet processing threads, 4 management threads initialized, engine started.
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2023313 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.WebDAVURL' is checked but not set. Checked in 2049320 and 2 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.generictelegram' is checked but not set. Checked in 2045614 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.tcpraw.png' is checked but not set. Checked in 2035477 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024242 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
2024-01-16T11:07:10 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
2024-01-16T11:06:52 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "tls", enabling metadata.app-layer
2024-01-16T11:06:52 Warning suricata [100103] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "http", enabling metadata.app-layer
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:52 Warning suricata [143203] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2024-01-16T11:06:51 Notice suricata [143203] <Notice> -- This is Suricata version 6.0.15 RELEASE running in SYSTEM mode
2024-01-16T11:06:47 Notice suricata [100103] <Notice> -- Signal Received. Stopping engine.

The following rules are enabled (alert or block -mode)

Code Select Expand


2029985 drop emerging-exploit.rules attempted-admin ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan    
2000537 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 2048    
2000536 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sO    
2000538 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sA (1)    
2000540 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sA (2)    
2000543 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sF    
2000544 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sN    
2000546 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sX    
2100469 alert emerging-scan.rules attempted-recon GPL SCAN PING NMAP    
2100628 alert emerging-scan.rules attempted-recon GPL SCAN nmap TCP    
2101228 alert emerging-scan.rules attempted-recon GPL SCAN nmap XMAS    
2100629 alert emerging-scan.rules attempted-recon GPL SCAN nmap fingerprint attempt    
2009582 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 1024    
2009583 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 3072    
2009584 alert emerging-scan.rules attempted-recon ET SCAN NMAP -sS window 4096    
2018317 drop emerging-scan.rules attempted-recon ET SCAN NMAP SIP Version Detect OPTIONS Scan    
2018318 drop emerging-scan.rules attempted-recon ET SCAN NMAP SIP Version Detection Script Activity    
2000545 alert emerging-scan.rules attempted-recon ET SCAN NMAP -f -sV    
2018489 drop emerging-scan.rules attempted-recon ET SCAN NMAP OS Detection Probe    
2013778 drop emerging-scan.rules web-application-attack ET SCAN NMAP SQL Spider Scan    
2009358 drop emerging-scan.rules web-application-attack ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)    
2009359 drop emerging-scan.rules web-application-attack ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)    
2024364 drop emerging-scan.rules web-application-attack ET SCAN Possible Nmap User-Agent Observed    
2021024 drop emerging-scan.rules attempted-recon ET SCAN Nmap NSE Heartbleed Response    
2021023 drop emerging-scan.rules attempted-recon ET SCAN Nmap NSE Heartbleed Request    
2036252 drop emerging-scan.rules network-scan ET SCAN RDP Connection Attempt from Nmap




Systeminfo

Code Select Expand


OPNsense 23.7.11-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
CPU type: Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores, 4 threads)
CPU usage: Load average 1.52, 1.25, 1.23

EDIT:

[CASE-4]
- I have "Home networks" configured as 192.168.1.1/32
- IPS mode = enabled
- Promiscuous mode = disabled/enabled (same result)
- Pattern matcher = Hyperscan
- Detect Profile = medium
- Interfaces eth1, eth2

Now if I run a nmap -v 192.168.100.1, I get alerts/blocked in "Alerts"  tab logged.

Code Select Expand


2024-01-16T11:26:10.613038+0200 2010936 blocked LAN 192.168.1.156 49622 192.168.1.1 1521 ET SCAN Suspicious inbound to Oracle SQL port 1521
2024-01-16T11:26:10.613038+0200 2010936 blocked LAN 192.168.1.156 49622 192.168.1.1 1521 ET SCAN Suspicious inbound to Oracle SQL port 1521
2024-01-16T11:26:10.275462+0200 2002910 blocked LAN 192.168.1.156 49622 192.168.1.1 5801 ET SCAN Potential VNC Scan 5800-5820
2024-01-16T11:26:10.178190+0200 2002911 blocked LAN 192.168.1.156 49622 192.168.1.1 5906 ET SCAN Potential VNC Scan 5900-5920
2024-01-16T11:26:10.163759+0200 2002910 blocked LAN 192.168.1.156 49621 192.168.1.1 5801 ET SCAN Potential VNC Scan 5800-5820


@marcquark

the full solution will require some additional work to make it work on the NAT rules pages as well (haven't looked at any other backend changes yet).

If much trouble, adding this to NAT section is not IMHO necessarily. Usually NAT rules are not that many so a rules list straight up and down is OK.

My 2c goes to copy how Fortigate or Forcepoint have tackled the "presentation layer issue":





Able to hide/expand and group rules as above is extremely helpful when you have plenty of rules (example you have many VLANs and "zero thrust" approach between the VLANs and servers/services)

I usually "design the rules sections" per VLAN (ex VLAN for OfficePCs, ProdPCs, Printers, MGMT, IoT, RnD, WiFi, Automation etc) and then quite often a own rules section per server. And if the firewall allows it, also different IPS per VLAN or server depending on its function.

HTH

Hi,

Try to use Any instead of WAN.

edit: if you want to make it secure, perhaps allow any DNS from LAN not best option. Define certain DNS that you trust (your ISP as an example).

Compared to commercial UTM's OPN misses:

- Wifi Controller
- User Portal to roll out client configs
- Spam Quarataine
- Commercial Blacklists
- TLS inspection

Per design, I'd be that bold to state that it is good that OPNSense is a firewall and firewall only. Plenty of other good products that control WiFi, email spamming. Can you please be more specific regarding the "User Portal to roll out client configs", thanks!

Thanks for the replies so far!

How complex environments are you having behind the OPNSense firewall (traffic througoutput, how many IPSec tunnels, VLANs and firewall rules)?

We're mostly using Fortigate right now due to that they are quite cheap, more than plenty of features and easy to maintain for SMEs. For semi complex environments I have sofar found the following drawbacks when doing research:

- Not possible to do wildcard DNS rules (e.g a FW rule only allowing Windows updates, *.office.com or blocking*.domain.com)
- Not possible to add "rules sections/separations" by interface or by "rule group", ex Fortigate:

or Forcepoint
- Different IPS per firewall rule (?)

Sirs,

I've been given a task to evaluate the usage of OPNSense in small to midsized business environments. I've found a few features missing, some only nice to have and others that can get work around to achieve the needed functionality.

Are here on this forum people using OPNSense in SME environment and what are your pro's and con's that you have run into? What features do you like and what features do you miss?

Currently we are mostly deploying Fortigates (my favorite in the cheaper end firewalls) and Checkpoints for SME. For small businesses and edge/small remote site offices I can totally see an opportunity for OPNSense to replace a proprietary firewall (and that would mean money in the bank for OPNSense => a donation per sold case to customer).

Thanks for any input!

Referring to what bimbar wrote, what do u guys think of this:

This could work! And it also seems, that pfSense uses "an empty rule" to add the separators (then only hiding some of the rule elements if it uses certain tag). So yes, absolutely better than nothing!

Hi,

I'm also wondering, if this is possible or not (in pfSense it is not it seems). I just got the task to evaluate OPNSense and this is more or less a show stopper, if not possible to e.g. allow only MS Updates based on wildcard DNS:
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com

Windows update here only as an example (could use WSUS), but also other use cases where need to allow CDN type *.domain.com

Edit: if not out-of-the-box possible, would it be possible to use cron and dnsmasq to poll through a list say once an hour (if that wildcard doesn't need to be resolved real time) and then use that IP list in an alias or similar?

As "community" is not capable of coding (adequate quality , at least), there should be found a way to involve CE users more. There wishes and some money to make them come true. But I guess there is no way to make the community pay alone for new features (at commercial pricing). The same way imho the pfsense CE went the way down to "mostly unmaintained" status...

Actually - this is not a bad idea! Perhaps somekind of a feature wish list where you could "donate $$$" to the feature you want and then, bring on devs from also outside current devs when needed?

I'll talk to my boss and see if we can start offering OPNSense when edge firewalls are needed and then donate some $$$ for each sell for starters..

I have routinely operated enterprise installations with hundreds of rules that would be completely unmanageable without the hierarchical folder structure for rules ...


Patrick

Yep - in the same boat here! And now especially when zero trust is no buzz word anymore but customers actually want and pay for to implement it, you quickly get loads of rules and VLANs. Having them all straight up and down on a single page with no grouping/hiding sections that not worked on, no fun and risk for errors gets high.

However, I completely understand the underlying issue here and when lookin into that pfSense "separator hack", I understand why nobody wants to touch this :-D

I have though learned, with enough cash on the table, someone is sooner or later eager to take on the most shitty task. That is - can we get a cost estimate of doing the change; what will it cost in man hours to make the needed changes on a rough estimate if we outsource this to a "outside dev" (put it as a one off project on Stackoverflow, LinkedIn or similar)?

The requirements should be quite straight forward but then if someone active on the project could give some technical design ideas/guidelines for the task, that would be great!