Messages

You guys are great and the forum
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it

Plan is to use nginx to decrypt and send packets to suricata where Ill put in some keyword rules to grab the commands in the payload and log all of it and will find out what IP they are coming from, A lot of TLSv1.1 for me so it shouldnt be to difficult.

Google quote
Yes, AppArmor logs denied operations, showing
what was blocked (like file opens, writes, or network access), which process (PID, command name), the specific profile, and the resource (file path) it tried to access, visible in kernel logs (dmesg, syslog, journalctl), especially when using aa-logprof for analysis. These logs help you understand and update AppArmor rules to allow legitimate actions while blocking malicious ones

It can be put on opnsense

Connected to three social media servers and browser servers, about 50 attacks per hour via browser, default opnsense stops the others
Blocked commands on the operating system that got past opnsense,  chrome, chrun, crun, balena-etcher, tuxedo, busybox, cam, ping, buildah, brave, ch-checkns, etc. and many fragments
How example
Your browser inserts and deletes files at will, without permission
There is a major media app that will take all your files on the copyright premise, without permission
Again how is they have a connection established, some without coming through the front door, this is one new way of hacking
Used by big business, data brokers, bad guys
 It can be a video, pdf, something in the webpage thats makes the connection
Mine are coming through major servers, sometimes it switches to names that should not be there and I can see them
I mentioned before I got on a popular shopping site and was connected to 32 servers around the world, I think thats changed, I told them
I mentioned the web has changed and we cant use old block lists because they are being used by the new server systems, they needed more IPs
Some of these server systems are inter linked, example money system, photo storage, advertising, third party systems that dont always show up.
These servers are not monitored, for there security yes, not ours, its a pass through system, they cant, to much traffic
There is more on this type of intrusion on the security sites
As far as I know, thats my guess
 I am adding programs to opnsense to stop these from getting past opnsense, opnsense does have the tools
If anyone knows more please let me know

And thanks, I wouldnt be online if it were not for opnsense

GOOGLE Quote:
Purpose: AppArmor on OPNsense is for endpoint hardening, preventing compromised applications (like browsers) from damaging the firewall OS, not for network traffic filtering.

Second try, I got hacked again, killed my computer
Thanks
Thats just the way I talk, like deprecated speech, I have to leave a lot out, and I have to talk fast
because i dont know how long I have before another hacking crash
There is a reason for what I brought up but if I explain it all, it could be ten times longer

thanks again

I am new to WAF as I tried explaing we need it and why, they deleted my posts. I get 50 attacks an hour through the browser and was unaware that could happen, bypasses opnsense firewall and normal suricata completely. A WAF  and apparmor stops them. Also opnsense has the tools which I have learned about. to mitigate these attacks but I dont see much on it. So the WAF I have researched run off the proxy server, I saw some that the log location had to be written into the proxy server config file. .Some WAf need a connector program to the proxy if not already compiled in. OPNWAF may already have it. OPNWAF should I think run on its own, not sure what your trying to do. Crowdsec is an IP based WAF. OPNWAF uses owasp modsecurity rulesets and a few other things. I may have to look at OPNWAF, I was working on Coraza in Haproxy, open-appsec in nginx, and naxsi in nginx but says I have to manually put in owasp rules in naxsi, and squid and or nginx decryption to suricata using a transparent proxy, or reverse proxy .. There are others here who know.Are you getting log errors. Check where they are sent. Is it working getting errors or blocks or page blocks. There is a test commandin the Docs, there are websites to test it with. Did you check crowdsec forums and docs. Crowdsec shows integrating open-appsec into crowdsec engine.. Which would give crowdsec owasp modsecurity rules. Check for similar or others. If you are running opnwaf why integrate with crowdsec.

Can anyone tell me is the WAF NAXSI operating in the os-nginx plugin working, says it was archived.

People please dont leave opnsense because there are some non helpful people on the forum. Many forums like that.

What is the title of this forum section. I spent two years working to get this information in which no one on this forum has bothered to mention or been able to help with. I hope it helps others, and helps opnsense. Opnsense is in competition, has obligations and so does this forum. Security is the only thing keeping opnsense and its competitors alive. Are we going to post security related messages here or will opnsense create another topic field. I dont care to see opnsense fall behind, security and the ongoing tasks and countermeasures are huge.

There are two types of threats, one I have discovered recently on my own
One: Say your computer is on and no browser open:
     That is new connection based, in which a new connection is required, Opnsense firewall and suricata handles these very good.
     No one can just make a connection to your computer you didnt ask for. Attackers and bots cant get in
Two: Browser based connections three types, opnsense cannot protect against
     One: A connection made by something you clicked on, hovered over
     Two: Automatic connection by a connected server, connects you to other servers without permission, also from embedded scripts in webpages
     Three: Stolen connections such as cross platform scripts inside websites

If they have a connection they can do what they want on your computer
So how do you protect your operating system and opnsense
I use apparmor and install its extra profiles, it protects your operating system endpoints so bad guys cant destroy or takeover your computer or opnsense. There are many different types of endpoint protection. They also differ in what they trigger off of. Apparmor is access control of endpoints. Endpoints are apps that operate your computer. It is working for me in default configuration once you add the extra profiles with a software manager. If they have access to your computer they have very easy access to opnsense LAN side. I would think everyone needs some type of endpoint protection if you can.

Careful which type of endpoint protection you use, they are not created equal. And I dont care to bash them. Pun.
Protection such as apparmor monitors all commands on your computer, aka access control, others monitor IPs only, others just key words, etc.
I install auditd also so I can see which commands apparmor blocked which are coming through the browser

Suricata is working on decryption where they can scan all incoming traffic. Which will take a large burden off of endpoint protection.
If you are a business there are services offering this.
At home decryption can be done and traffic scanned.

I call it browser intrusion, it has many names and many attacks

If you are on linux or similar, check if apparmor is built in or available in your repository. After you do an update, install apparmor-utils, apparmor-profiles, apparmor-profiles-extra, apparmor-notify, and auditd to monitor everything. I have connections through the browser attacking my system trying to break through apparmor. It shows up in auditd log file. Its a mile long. Using this as your endpoint protection or a similar app protects your operating system and  the LAN side backend of opnsense which is open and everything is allowed, thats how they were breaking my separate opnsense router. The app called apparmor can be more or less restrictive to suit your needs. I am using it on default. When the other extensions are installed then execute sudo systemctl restart apparmor, or just restart your computer.  It updates the profiles. There are browser jails but most research said they cause problems due to being to restrictive. Only use in extreme cases of attack. Auditd log will show the actual commands they tried to execute on your computer. Hope this helps anyone experiencing intrusion through the browser or just need some more security. These are the kind of attacks suricata is working on, but will be in the future, maybe suricata 9. We have to start decrypting. Which will take more processing power, opnsense may be split due to size of unit to do this., I mean more security will mean a bigger unit to run it all., or have options on how much security is running with different size router units as they already do. Decrypting headers is one thing, decrypting full payload and checking it is another.

Suricata is asking for decoded pcaps in HTTP3 which is based on QUIC
They are running tests on the newer scanning of key words.
The big companies just decode it all, and dont separate out what they are looking for.

Suricata is working on implementing a firewall, it can be enabled or not.
It is adding detection of a further eight protocols. Which is good because the rules I wrote do nothing when the protocol cant be detected.
Suricata is moving toward being totally written in rust vs c for freebsd.
There was a mention of maybe splitting IDS from IPS. Not sure how extensive they are talking, like two separate systems, I dont know.
Suricata runs in front of the firewall on opnsense.
I dont mind two firewalls. I would actually have three being there is one on the operating system separate from the router. Which actually blocks some things opnsense firewall and suricata do not catch. It may could be blocked in suricata, I havnt looked for a rule to cover it.

Under policies there is a ruleset box for the policy being made.
Under the box you can click on select all, or click on the box and individually select rulesets.
I dont think it will let you leave it blank, been a minute

Progress? Did you get it working. The things I mentioned effect DNS considerably.