"
Hi,
first of all I want to thank you for developing OPNSense. You are doing a super job!
We migrated from pfSense and operate several OPNSense instances today.
This post is about false positives caused by C2-Domains in a HOST ALIAS,
which is used by a floating rule to block traffic and log it.
Let me explain.
1. We observed (few weeks ago) a stealer alert by Suricata.
2. To minimize risk, we gathered C2 domain names (of Lumma Stealer, in our case) to check for suspicious outbound traffic.
3. I created a host alias and added the C2 domains
4. Added a floating block rule using this alias
5. As a result, we continuously saw blocked C2 traffic in firewall and unbound logs
6. We interpreted those as a sign of either compromised hosts or even the OPNSense being compromised
I nearly got crazy.
We had shutdown development and production networks for weeks.
Despite full-on scanning an manual investigation, we still had no proof of actually compromised hosts.
Then, I found the reason:
OPNSense checks domains in an host alias every 300 seconds. 💡
Source: https://docs.opnsense.org/manual/aliases.html
I could reproduce this behaviour.
I have the following questions:
1. Would it be possible to add a hint in the UI to inform users of this behaviour?
2. Howto block&log C2 domains without leaking (at least this seems to happen) the domains and getting confusing behaviour?
3. Is it possible to disable polling every 300 seconds?
I hope I have not overlooked an existing forum entry.
If so, please excuse :-)
first of all I want to thank you for developing OPNSense. You are doing a super job!
We migrated from pfSense and operate several OPNSense instances today.
This post is about false positives caused by C2-Domains in a HOST ALIAS,
which is used by a floating rule to block traffic and log it.
Let me explain.
1. We observed (few weeks ago) a stealer alert by Suricata.
2. To minimize risk, we gathered C2 domain names (of Lumma Stealer, in our case) to check for suspicious outbound traffic.
3. I created a host alias and added the C2 domains
4. Added a floating block rule using this alias
5. As a result, we continuously saw blocked C2 traffic in firewall and unbound logs
6. We interpreted those as a sign of either compromised hosts or even the OPNSense being compromised
I nearly got crazy.
We had shutdown development and production networks for weeks.
Despite full-on scanning an manual investigation, we still had no proof of actually compromised hosts.
Then, I found the reason:
OPNSense checks domains in an host alias every 300 seconds. 💡
Source: https://docs.opnsense.org/manual/aliases.html
I could reproduce this behaviour.
I have the following questions:
1. Would it be possible to add a hint in the UI to inform users of this behaviour?
2. Howto block&log C2 domains without leaking (at least this seems to happen) the domains and getting confusing behaviour?
3. Is it possible to disable polling every 300 seconds?
I hope I have not overlooked an existing forum entry.
If so, please excuse :-)
