Messages

1

Intrusion Detection and Prevention / Re: How can Suricata function prior to scrub?

« on: February 17, 2024, 01:22:05 am »

The placement of Suricata before pf scrubbing in the packet flow diagram may seem counterintuitive at first, especially considering potential fragmentation issues. However, Suricata's ability to process traffic before pf scrubbing is based on its integration with libpcap and its packet processing capabilities.

2

Intrusion Detection and Prevention / Re: Poor Reputation Groups

« on: February 17, 2024, 01:20:31 am »

Suricata provides the flexibility to handle alerts, including those related to poor reputation groups, in various ways. Dropping alerts en masse can be a quick solution, but it's essential to consider potential downsides and implications. Suricata rules can be configured to take specific actions upon triggering an alert, such as dropping packets associated with the alert. You can configure Suricata to drop packets for all alerts matching a particular rule or category. This approach involves modifying the Suricata configuration file to adjust the action taken for alerts from poor reputation groups. You would modify the "drop" action for the relevant rule or category. Dropping alerts en masse can be effective in blocking potentially malicious traffic associated with poor reputation groups, thereby reducing the risk of security incidents.

3

Intrusion Detection and Prevention / Re: Change of IP in case of event X

« on: February 17, 2024, 01:18:39 am »

One option is mitigating PortScans implement a firewall or intrusion detection/prevention system (IDS/IPS) to detect and block port scan attempts. These systems can monitor network traffic and automatically block IP addresses that are scanning multiple ports. Configure rate limiting rules on your firewall to limit the number of port scan attempts from a single IP address within a certain time frame. Use port knocking techniques to dynamically open ports only when specific sequences of connection attempts are made, effectively hiding the ports from casual scans. I still think that it's too much and such a scenario is not gonna happen anywhere in the future.

4

24.1 Legacy Series / Re: Sessions appear to be being terminated randomly post upgrade.

« on: February 16, 2024, 02:53:23 am »

The error message you provided indicates an issue with SSL decryption or authentication during the package download process. This error could be related to several factors, including network connectivity issues, SSL/TLS configuration problems, or even potential issues with the package repository server. Try to check out and provide more detail later, maybe I will be able to help.

5

24.1 Legacy Series / Re: KEA DHCP DNS search suffix

« on: February 16, 2024, 02:51:14 am »

Since you're encountering an issue where Unifi access points are not receiving the correct internal search domain via DHCP, leading to difficulties in finding the inform URL one option will be to check DHCP options, ensure that the DHCP options provided by KEA DHCP server include the correct search domain information (option 119 for domain search list). Verify the DHCP configuration to confirm that the internal .local domain is correctly configured and being sent to clients. Another solution may be to verify the configuration of your UniFi access points to ensure that they are configured to obtain network settings via DHCP and that they support receiving and using domain search information provided by the DHCP server.

6

24.1 Legacy Series / Re: Kernel panic

« on: February 16, 2024, 02:47:18 am »

It seems like you're experiencing a kernel panic on an instance running OPNsense in a VMware guest environment. Kernel panics can occur due to various reasons such as hardware issues, driver problems, or software bugs. You can firstly check hardware health by verify the health of your underlying hardware, including the server and storage devices. Ensure that there are no hardware faults or failures that could be causing the kernel panic. Also it would be good to review system logs on the OPNsense instance to gather more information about the kernel panic. Look for any error messages or warnings leading up to the crash.