Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - badkuk

#1

Hi, sorry for the late reply...yes I've enable all ETpro telemetry rules.

It managed to block the executable upload, but it seems the initial exploit is still getting through undetected.

All ET Telemetry rulesets have been enabled and downloaded in the Download tab.

As for the policy, all etpro.* rulesets have been selected. I've also selected all rules with Action = Drop, Alert, and Disabled .

Any ideas why the initial exploit is still getting through


#2
Hi All,


So I've been testing the IDS/IPS feature by lobbing a few Metasploit exploits. It seems that the Eternal Romance ( exploit/windows/smb/ms17_010_psexec) attack is getting through, and i was able to get a Meterpreter session(screenshot attached).  It's not showing up on the Alerts as well. I'm sure IPS is enabled as it managed to block the other exploits I tried.

Any suggestions on how to tweak the rules/rulesets? tia


#3
First off, I apologize in advance if I'm posting this on the wrong forum.

I have a few clarifications about aliases:

1. When importing, is it safe to just leave the sid field( cca89844-518c-4a23-b6f9-695814fe9937": {... )  blank?
I've actually tried it and it seems to work fine, I'm just concerned that it may mess something up internally.

2. What does the "Loaded#" field mean?

3. How is this data stored internally? Database or plain text file?

tia


#4
Just an update:

- I've managed to set up OPNSense on a workstation grade PC and some spare NICs we have at work. Works like a charm. Just trying to tweak the IDS/IPS and playing around with zenarmor at this point.

- I've also ordered a SATA-ODD drive bay adapter online. Just curious if it will work on the x3650.
#5
Hi All,

I've literally just installed ZenA rmor just now; seems that only IDS/IPS or Zen Armor can be enabled for any particular interface. And Zen Armor doesn't seem to have any configuration options that deals with IPS signatures, rules and such. 

I'm getting the impression that Zen Armor is best suited for the user segment, where you protect your users from accessing malicious sites and such....or is there more to it? Can it protect servers? How exactly?

Should i enable IDS/IPS on the server and WAN segment, then enable Zen Armor on the user segment?

tia


#6
Quote from: cookiemonster on March 10, 2022, 11:14:23 AM
For verifycation it should be easy to plug an SSD to that standalone SATA port. i.e not connected to the hba. Saves you having to replace the whole server just for experimenting.
Brings me to the question. That is a lot of server for OPN. Are you planning on using it OPN bare metal or virtual on it? The point being, the problem seems to be freebsd driver for the hba. So you will still have trouble with it for the storage element.

Bare metal. Just so happens it was the only spare  "server grade" machine here in the office.
I'll try to install it on one of our higher end workstations.

Pardon me for veering off-topic: what kind of CPU and RAM do i need for a 1Gbps link, with IPS enabled? tia

#7
Quote from: pmhausen on March 10, 2022, 07:57:55 AM
I have seen a USB Ethernet in that screen photo. That won't go well, either. So probably a better suited system.

That's odd, i don't have a USB ethernet attached. Apart from the onboard NICs, the only things installed are

1 x 4-port copper NIC
1 x 2-port fiber NIC




#8
Bummer.

The way I see it, there are two alternatives:

1. Attach an SSD via the Optical drive bay
 
   Not familiar with SATA-ODD. Can I but this, slap in a 2.5in SSD on it, and swap it in for the optical drive?

https://www.amazon.com/Highfine-Universal-SSD-HDD-Enclosures/dp/B01MRI8YFN/ref=sr_1_3?crid=WHTC0UK60C42&keywords=sata-odd+ssd+bay&qid=1646880739&sprefix=sata-odd+ssd+b%2Caps%2C404&sr=8-3

   Are these all standard sizes?


2. Get a completely new server

    Any suggestions on server brands/models that play well with OPNsense? Old/new is fine.

Thanks for the replies btw ^_^



#9
I'm starting to think this is an issue with 22.1, not the image or flash drive.

I was able to install 21.7 on the same machine, and was able to upgrade it to 21.7.8 via the Web UI.
Upgrade to 22.1 went smoothly, but after the reboot, I got this:

Any suggestions on how to proceed?
#10


So I tried it again with a new flash drive, I used dd this time...same result.

#11
Hi, checksum came out OK.

I failed to mention that i made a usb bootable using Rufus, same way i did with the older version. Hmm let me try it with a new flash drive...
#12
continued...
#13
Here are some screenshots of the errors. This is right after confirming to proceed with the format. Same error whether i choose UFS or ZFS:
#14
Good day,

So I tried to install OPNSense on a spare IBM x3650 M4...didn't get very far :p

During installation, I encountered errors during the formatting of the target drive -- single 300GB SAS drive(JBOD) -- something about missing directories. I tried both UFS and ZFS, same result. Funny thing is, I was able to install version 21.7 with no issues at all.

Right this moment i am reinitializing the disk will try to install again. In the meantime, any suggestions? Thanks