1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Intrusion Detection and Prevention / Re: pfsense equivalent to SourceIP/SID whitelisting
« on: January 14, 2024, 09:11:10 pm »
Hello Monvieh
Your solution 1 is OK.
###
Though it seems like it would be better to have the rule itself fixed so the false positive isn't triggered anymore. It's probably a scope kind of issue:
- Is it in scope of OPNsense to allow the user to fix the logic of faulty rules?
No
- Is it in scope of the rule provider to fix their provided rule to not trigger false positives?
Yes
###
But!
In fact, here in my case, the rule is not faulty it is plain OK, just with this change you can deactivate a rule for a speciifc IP.
For example, one of my user raise ET INFO Clearbit Logo Query in DNS Lookup but it is normal behavior for this IP.
So adding "suppress gen_id 1, sig_id 2044300, track by_src, ip 192.168.0.4" is a good point in my case.
Also for example, it is ok to get ET POLICY Vulnerable Java Version 17.0.x Detected, but adding:
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
Will pop the info once per day, so your are not spammed until you take time to correct it.
The final idea behind these settings is just lowering the amount of unusefull info, so important one pop up more cleary.
Also it reminds me that on pfSense, there is an important column on alert tab, the rule priority. That is, alert with level 1 are high priority, and very suspicious while level 3 are just network traffic info (like ET INFO).
Could be interesting to be able to filter on these priority.
--> Once you modify a .volt file, do you know how to relaod the view , to get update?
I wanted to reduce the time column in alert tab as a first patch , so we could view full rule name
Your solution 1 is OK.
###
Though it seems like it would be better to have the rule itself fixed so the false positive isn't triggered anymore. It's probably a scope kind of issue:
- Is it in scope of OPNsense to allow the user to fix the logic of faulty rules?
No
- Is it in scope of the rule provider to fix their provided rule to not trigger false positives?
Yes
###
But!
In fact, here in my case, the rule is not faulty it is plain OK, just with this change you can deactivate a rule for a speciifc IP.
For example, one of my user raise ET INFO Clearbit Logo Query in DNS Lookup but it is normal behavior for this IP.
So adding "suppress gen_id 1, sig_id 2044300, track by_src, ip 192.168.0.4" is a good point in my case.
Also for example, it is ok to get ET POLICY Vulnerable Java Version 17.0.x Detected, but adding:
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
Will pop the info once per day, so your are not spammed until you take time to correct it.
The final idea behind these settings is just lowering the amount of unusefull info, so important one pop up more cleary.
Also it reminds me that on pfSense, there is an important column on alert tab, the rule priority. That is, alert with level 1 are high priority, and very suspicious while level 3 are just network traffic info (like ET INFO).
Could be interesting to be able to filter on these priority.
--> Once you modify a .volt file, do you know how to relaod the view , to get update?
I wanted to reduce the time column in alert tab as a first patch , so we could view full rule name
3
Intrusion Detection and Prevention / Re: pfsense equivalent to SourceIP/SID whitelisting
« on: January 14, 2024, 10:22:23 am »
So far I think I found a kind of workaround:
I modify manually the file /usr/local/etc/suricata/threshold.config
#######################################################################
#suppress ET INFO File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
suppress gen_id 1, sig_id 2049201
#suppress ET INFO Clearbit Logo Query in DNS Lookup (used by Odoo)
suppress gen_id 1, sig_id 2044300
#suppress ET POLICY External IP Lookup (avast .com)
suppress gen_id 1, sig_id 2029575
#http.user_agent CCleaner Update Agent
#suppress ET DNS Query for .to TLD
suppress gen_id 1, sig_id 2027757
#threshold ET POLICY Vulnerable Java Version 1.8.x Detected (1/day)
threshold gen_id 1, sig_id 2019401, type threshold, track by_src, count 1, seconds 86400
#threshold ET POLICY Vulnerable Java Version 17.0.x Detected
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
It could be interesting to add a "+" mark that popup a wizard asking to whitelist the sid, with:
- comment
- a tick for threshold
- if threshold: an int for count
- a choice for track_by: src/dst/none
- if threshold: seconds before next event
So user could review later is rules that he has whitelisted.
I modify manually the file /usr/local/etc/suricata/threshold.config
#######################################################################
#suppress ET INFO File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
suppress gen_id 1, sig_id 2049201
#suppress ET INFO Clearbit Logo Query in DNS Lookup (used by Odoo)
suppress gen_id 1, sig_id 2044300
#suppress ET POLICY External IP Lookup (avast .com)
suppress gen_id 1, sig_id 2029575
#http.user_agent CCleaner Update Agent
#suppress ET DNS Query for .to TLD
suppress gen_id 1, sig_id 2027757
#threshold ET POLICY Vulnerable Java Version 1.8.x Detected (1/day)
threshold gen_id 1, sig_id 2019401, type threshold, track by_src, count 1, seconds 86400
#threshold ET POLICY Vulnerable Java Version 17.0.x Detected
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
It could be interesting to add a "+" mark that popup a wizard asking to whitelist the sid, with:
- comment
- a tick for threshold
- if threshold: an int for count
- a choice for track_by: src/dst/none
- if threshold: seconds before next event
So user could review later is rules that he has whitelisted.
4
Intrusion Detection and Prevention / pfsense equivalent to SourceIP/SID whitelisting
« on: January 13, 2024, 03:52:31 pm »
Hello,
I recently switched to opnsense and activated the suricata IPS.
One thing is missing to me is the DHCP lookup and IP whitelisting I got on pfsense snort/suricata interface.
On the attached screenshot, in purple you'll see 2 icons:
- 1 magnifying glass: cliking on it the interface try to resolve for example the local ip thanks to DHCP server registered data. So it is quicker to understand who is doing bad stuff.
- 1 "+ mark" that allow add the couple IP/rule SID to a passlist for example to disable alert for a specific IP/SID.
Is there any equivalent of "+" mark behaviour on opnsense (the one that is missing the most for me), that is defining a pass lsit with src_ip/SID ?
Any plan to add these 2 options?
I recently switched to opnsense and activated the suricata IPS.
One thing is missing to me is the DHCP lookup and IP whitelisting I got on pfsense snort/suricata interface.
On the attached screenshot, in purple you'll see 2 icons:
- 1 magnifying glass: cliking on it the interface try to resolve for example the local ip thanks to DHCP server registered data. So it is quicker to understand who is doing bad stuff.
- 1 "+ mark" that allow add the couple IP/rule SID to a passlist for example to disable alert for a specific IP/SID.
Is there any equivalent of "+" mark behaviour on opnsense (the one that is missing the most for me), that is defining a pass lsit with src_ip/SID ?
Any plan to add these 2 options?
5
Intrusion Detection and Prevention / Re: Disabled rules are still popping up into alert tab
« on: January 10, 2024, 09:52:35 pm »
Ok looks like the alerts do not popup anymore (I've restarted the service ini the meantime).
Perhaps related.
Perhaps related.
6
Intrusion Detection and Prevention / [SOLVED] Disabled rules are still popping up into alert tab
« on: January 09, 2024, 11:14:59 am »
Hello,
I've just setup my ids as pictured in opensense_config.jpg.
I've started to disable some rules as pictures in opnsense_disabled_rules.jpg
Sadly the disabled rules keep poping up into the alert viewer. And even clicking on the "pen" icon it is seen as disabled but still detected :/
(see opnsense_disable_rules_visibles.jpg)
Do I miss someting?
I've just setup my ids as pictured in opensense_config.jpg.
I've started to disable some rules as pictures in opnsense_disabled_rules.jpg
Sadly the disabled rules keep poping up into the alert viewer. And even clicking on the "pen" icon it is seen as disabled but still detected :/
(see opnsense_disable_rules_visibles.jpg)
Do I miss someting?
7
Virtual private networks / [OpenVPN] Is there a way to define firewall rules based on AD group or user
« on: June 10, 2023, 11:31:49 am »
I'm using openvpn with ldap authentication connected to our windows Active Directory.
When openvpn client connects it uses user and password form AD. (so opnsense has the ability to know if an user is in a specific AD group)
I want to define some specific rules like: if user in "Developer Group" allow ssh to xxx.xxx.xxx.xxx internal IP.
Is there a way to do this on openvpn?
Thx!
(ps: I'm migrating from stormshield, and it has this functionnality)
When openvpn client connects it uses user and password form AD. (so opnsense has the ability to know if an user is in a specific AD group)
I want to define some specific rules like: if user in "Developer Group" allow ssh to xxx.xxx.xxx.xxx internal IP.
Is there a way to do this on openvpn?
Thx!
(ps: I'm migrating from stormshield, and it has this functionnality)
Pages: [1]