"
If your in IPS mode did you set it to hyperscan(should be), just a thought
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Intrusion Detection and Prevention / Re: Filtering Alerts by severity and lists of blocked IPs
June 26, 2025, 04:24:16 AM
In Opnsense you can make a blocklist under user defined rules
You can subscribe to blocklists, and can get them in txt format to read
You can enter them manually in opnsense.test.rules as I do, using sftp
There they survive a reboot
You can subscribe to blocklists, and can get them in txt format to read
You can enter them manually in opnsense.test.rules as I do, using sftp
There they survive a reboot
#3
Intrusion Detection and Prevention / Monitor your connections
June 26, 2025, 04:14:59 AM
You can easily monitor your connections
open a terminal
SSH into your router
sudo ssh (router lan ip)
fingerprint yes
select option 9 pf
this will show a live version of your connections
And those denied will show syn sent, and no connection
To close use ctl c
open a terminal
SSH into your router
sudo ssh (router lan ip)
fingerprint yes
select option 9 pf
this will show a live version of your connections
And those denied will show syn sent, and no connection
To close use ctl c
#4
General Discussion / Re: How do you block WAN port ranges
June 26, 2025, 03:57:16 AM
Got it
thanks everyone
select protocol and then select from and to port ranges
thanks everyone
select protocol and then select from and to port ranges
#5
General Discussion / Re: How do you block WAN port ranges
June 26, 2025, 02:59:07 AM
Thanks everyone
Ok
My WAN rules are default
I understand how they block a "new" incoming connection
I have opnsense on one box and my operating system on another
There is a firewall, ufw defaults on the OS, and blocked ssh and ftp
The bad guys enter the OS through the browser
Side note: they steal my logs, read them, find lan ip, enter opnsense, steal those logs
So Im trying to block connections from servers who have a connection, opening ports that should not be open
So example is I can block servers "with a connection" only by manually denying a port and direction
The defaults are for incoming new ports, not established communications, if that helps
So my question is
Is there syntax to deny more than one port at a time
I dont want to enter them one at a time, like 1:52,54:442,442:546,etc does that work
I do know a bit about iptables and ufw, both front ends
And I want to block them from carrying out some attacks through my system
Thanks
Ok
My WAN rules are default
I understand how they block a "new" incoming connection
I have opnsense on one box and my operating system on another
There is a firewall, ufw defaults on the OS, and blocked ssh and ftp
The bad guys enter the OS through the browser
Side note: they steal my logs, read them, find lan ip, enter opnsense, steal those logs
So Im trying to block connections from servers who have a connection, opening ports that should not be open
So example is I can block servers "with a connection" only by manually denying a port and direction
The defaults are for incoming new ports, not established communications, if that helps
So my question is
Is there syntax to deny more than one port at a time
I dont want to enter them one at a time, like 1:52,54:442,442:546,etc does that work
I do know a bit about iptables and ufw, both front ends
And I want to block them from carrying out some attacks through my system
Thanks
#6
General Discussion / How do you block WAN port ranges
June 25, 2025, 04:16:42 AM
Question how to enter port ranges in WAN rules
I need to block port ranges to stop hackers coming through browser
IPP/631 virus for instance
22/ssh
etc
You have to make a rule to stop hackers who have a connection
So I need broad port ranges 1:4000
I need to block port ranges to stop hackers coming through browser
IPP/631 virus for instance
22/ssh
etc
You have to make a rule to stop hackers who have a connection
So I need broad port ranges 1:4000
#7
Intrusion Detection and Prevention / Ninety Percent of Hacking is through your Browser
June 25, 2025, 03:49:14 AM
Most of hacking is through your browser, no password required
Malicious websites, loading files on your computer, planting backdoors on your computer, sending beacons to the bad guys
Sometimes the beacon doesnt activate till a certain bot, spider, scraper hits it, it creates a connection
Malicious downloads, pdf, img, jpg, png, txt, even the page itself can be malicious when it opens in your browser
The web page sends you to twenty other servers, we have no idea what they are doing
They infect your apps, your communications, steal your logs, steal your data
Take snapshots of the screen if possible instead of a download, much safer
Dont keep your data on your internet computer
Wipe your computer often
Keep a backup of important data
If your using windows, yes a protection suite is needed
Linux we reload
If your using linux or a form and youve spent a lot of time setting it up
Copy it, your whole setup
You can shrink the partitions or partition
And copy the whole thing as is
Then you can reinstall it in less than 30 seconds
And then adjust the partitions again if needed
Linux Mint Disks program does this
And gparted for the partitions
There are others
Malicious websites, loading files on your computer, planting backdoors on your computer, sending beacons to the bad guys
Sometimes the beacon doesnt activate till a certain bot, spider, scraper hits it, it creates a connection
Malicious downloads, pdf, img, jpg, png, txt, even the page itself can be malicious when it opens in your browser
The web page sends you to twenty other servers, we have no idea what they are doing
They infect your apps, your communications, steal your logs, steal your data
Take snapshots of the screen if possible instead of a download, much safer
Dont keep your data on your internet computer
Wipe your computer often
Keep a backup of important data
If your using windows, yes a protection suite is needed
Linux we reload
If your using linux or a form and youve spent a lot of time setting it up
Copy it, your whole setup
You can shrink the partitions or partition
And copy the whole thing as is
Then you can reinstall it in less than 30 seconds
And then adjust the partitions again if needed
Linux Mint Disks program does this
And gparted for the partitions
There are others
#8
Intrusion Detection and Prevention / Re: Which IDS IPS rules do you prefer
June 25, 2025, 03:24:46 AM
Yes use default rules until your skill level increases
There are no wrong blocks, thats a maintenance issue on the user
Yes I would run IPS rules
You need them to block attacks toward you and from them attacking others through your computer
Not counting data breaches, spreading malicious forms of attack, etc
Most people will never reach those skill levels, Im just a newb
I deal with them most every day
There are no wrong blocks, thats a maintenance issue on the user
Yes I would run IPS rules
You need them to block attacks toward you and from them attacking others through your computer
Not counting data breaches, spreading malicious forms of attack, etc
Most people will never reach those skill levels, Im just a newb
I deal with them most every day
#9
Intrusion Detection and Prevention / Re: IDS no alterts
June 25, 2025, 03:16:52 AM
Is your IPS using a filter, to stop some bad guys
Also you may not see any till there are some
Most of my blocks are from blocklists, IP range blocks, and others
Snort community blocklist, honeypot blocklist, range blocks
Also you may not see any till there are some
Most of my blocks are from blocklists, IP range blocks, and others
Snort community blocklist, honeypot blocklist, range blocks
#10
Intrusion Detection and Prevention / Re: about suricata rule update status
June 25, 2025, 03:09:31 AM
Opnsense rules change at times, they are refreshed from those sites
The rules update if you do a manual rule update and install
Or can set up automatic rule updates
Note: Opnsense runs suricata rules and not snort
They are not compatible, they dont have the same engine
Your own rules can be entered manually
If its a simply rule or temporary you can use user defined rules
The rules update if you do a manual rule update and install
Or can set up automatic rule updates
Note: Opnsense runs suricata rules and not snort
They are not compatible, they dont have the same engine
Your own rules can be entered manually
If its a simply rule or temporary you can use user defined rules
#11
Intrusion Detection and Prevention / Re: Just ran out of space in queue - Suricata Crash
June 25, 2025, 03:01:48 AM
Yes detections work in hyperscan
1 did you enter your IP in Intrusion Detection>Administration and click advanced in upper right and put your IP in Home Network box
and remove the others
2 Did you enable the rules, and did you click apply in Enable Intrusion detection and rules categories
3 You may not see any alerts till you actually get some, some ISP's run filters
4 Are you running blocklists, that is most of my blocks, snort community blocklists, my own IP range blocks, and others
Can either enter them in opnsense blocklists, dont know if its subscriptions
Or can enter them by cut and paste in user defined rules
Or enter them manually
1 did you enter your IP in Intrusion Detection>Administration and click advanced in upper right and put your IP in Home Network box
and remove the others
2 Did you enable the rules, and did you click apply in Enable Intrusion detection and rules categories
3 You may not see any alerts till you actually get some, some ISP's run filters
4 Are you running blocklists, that is most of my blocks, snort community blocklists, my own IP range blocks, and others
Can either enter them in opnsense blocklists, dont know if its subscriptions
Or can enter them by cut and paste in user defined rules
Or enter them manually
#12
Intrusion Detection and Prevention / Re: IDS no alterts
June 18, 2025, 03:59:02 AM
did you put your IP address in home network box in advanced settings on the administration page
#13
Intrusion Detection and Prevention / Re: os-wazuh-agent does not update alias when active-response plugin is called
May 27, 2025, 12:41:11 AM
here is what I did, dont know if it will help you.Ive gotten wazuh siem server working on Linux Mint 22 on a box and opnsense as an agent on another box
On the server which is LM22 I did an update and installed JDK via synaptic, which was 4 or 5 files
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Then wazuh server page appears
Then open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents this will create a new agent
Type A for add and enter hostname of opnsense router and its IP; then quit
then run command again and type L for LIst
Then type I to get a key for that agent, copy and save it, then exit
Next on the opnsense box I install wazuh agent from plugins
reboot and enable wazuh-agent, set manager hostname...IP of wazuh server on lan, which is lan address
authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
Then ssh into opnsense and go to /var/ossec/bin
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot
remember to open tcp ports 1515 and 1514 on both the server box and opnsense box
Reboot operating system or use systemctl to shutdown server first then power down
Dont think this part needed any more below
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard
sudo systemctl stop wazuh-server
Lately on new installs something has changed and I dont have to do manual start or stops
On the server which is LM22 I did an update and installed JDK via synaptic, which was 4 or 5 files
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Then wazuh server page appears
Then open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents this will create a new agent
Type A for add and enter hostname of opnsense router and its IP; then quit
then run command again and type L for LIst
Then type I to get a key for that agent, copy and save it, then exit
Next on the opnsense box I install wazuh agent from plugins
reboot and enable wazuh-agent, set manager hostname...IP of wazuh server on lan, which is lan address
authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
Then ssh into opnsense and go to /var/ossec/bin
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot
remember to open tcp ports 1515 and 1514 on both the server box and opnsense box
Reboot operating system or use systemctl to shutdown server first then power down
Dont think this part needed any more below
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard
sudo systemctl stop wazuh-server
Lately on new installs something has changed and I dont have to do manual start or stops
#14
Intrusion Detection and Prevention / Re: os-wazuh-agent does not update alias when active-response plugin is called
May 27, 2025, 12:30:34 AM
Check and see if the key from the agent is in the server, If not manually put it in.
#15
Intrusion Detection and Prevention / Re: Which IDS IPS rules do you prefer
May 27, 2025, 12:27:50 AM
Start with the defaults until you learn more. No such thing as a false positive.All my alerts are set to block.You dont need to see the data to determine the packets motive. Hope that helps.
