Messages

A few things
My first opnsense instance was protected by apparmor because it was a vm, shared systems

Ok I found out more on what my attacks are
one, the blocked commands I was picking up in logs is in line with crypto malware

two, how it gets there through the browser
I didnt have a name for it but IBM and global security does. Its called zero-click attacks
Its been in cve's since the year 2000, no one can fix it yet.

IBM has a video on zero-click attacks and the first two seconds of it say, boom your hacked, just that fast
Its software of different types downloaded through the browser, two names pegasus, stagefright, thats just two,
not counting all the others and the variations of it, the amount of code varies.
They affect phones and computers, All they have to do to hack your phone is call you
You dont have to answer or even touch your phone and your hacked
There is more information on these types attacks, just some of millions of attacks
This software is sold to people, the one shown was subscription based, strange, around 700 a year
Reason its hard to see, its not just encrypted, it can be double encrypted, it can be obfuscated before encryption,
So decrypting packets doesnt pick it up, they usually skip it
Remember I was talking about the hands on tools to see and break down these embedded malware code
Anyway, these attacks, different types, come through the browser, and effect your phone
Yes I hunt them in spare time sometimes, and bug bounty
Have found a few, I didnt save then, they are dangerous around your system, Ill have to save them from now on
And the corporations didnt offer to pay me, they did ask me to help.

You guys are great and the forum
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it

Plan is to use nginx to decrypt and send packets to suricata where Ill put in some keyword rules to grab the commands in the payload and log all of it and will find out what IP they are coming from, A lot of TLSv1.1 for me so it shouldnt be to difficult.

And thanks, I wouldnt be online if it were not for opnsense

GOOGLE Quote:
Purpose: AppArmor on OPNsense is for endpoint hardening, preventing compromised applications (like browsers) from damaging the firewall OS, not for network traffic filtering.

Thanks


thanks again

I am new to WAF

Can anyone tell me is the WAF NAXSI operating in the os-nginx plugin working, says it was archived.

People please dont leave opnsense because there are some non helpful people on the forum. Many forums like that.

What is the title of this forum section. I spent two years working to get this information in which no one on this forum has bothered to mention or been able to help with. I hope it helps others, and helps opnsense. Opnsense is in competition, has obligations and so does this forum. Security is the only thing keeping opnsense and its competitors alive. Are we going to post security related messages here or will opnsense create another topic field. I dont care to see opnsense fall behind, security and the ongoing tasks and countermeasures are huge.

There are two types of threats, one I have discovered recently on my own
One: Say your computer is on and no browser open:
     That is new connection based, in which a new connection is required, Opnsense firewall and suricata handles these very good.
     No one can just make a connection to your computer you didnt ask for. Attackers and bots cant get in
Two: Browser based connections three types, opnsense cannot protect against
     One: A connection made by something you clicked on, hovered over
     Two: Automatic connection by a connected server, connects you to other servers without permission, also from embedded scripts in webpages
     Three: Stolen connections such as cross platform scripts inside websites

If they have a connection they can do what they want on your computer
So how do you protect your operating system and opnsense
I use apparmor and install its extra profiles, it protects your operating system endpoints so bad guys cant destroy or takeover your computer or opnsense. There are many different types of endpoint protection. They also differ in what they trigger off of. Apparmor is access control of endpoints. Endpoints are apps that operate your computer. It is working for me in default configuration once you add the extra profiles with a software manager. If they have access to your computer they have very easy access to opnsense LAN side. I would think everyone needs some type of endpoint protection if you can.

Careful which type of endpoint protection you use, they are not created equal. And I dont care to bash them. Pun.
Protection such as apparmor monitors all commands on your computer, aka access control, others monitor IPs only, others just key words, etc.
I install auditd also so I can see which commands apparmor blocked which are coming through the browser

Suricata is working on decryption where they can scan all incoming traffic. Which will take a large burden off of endpoint protection.
If you are a business there are services offering this.
At home decryption can be done and traffic scanned.

I call it browser intrusion, it has many names and many attacks

If you are on linux or similar, check if apparmor is built in or available in your repository. After you do an update, install apparmor-utils, apparmor-profiles, apparmor-profiles-extra, apparmor-notify, and auditd to monitor everything. I have connections through the browser attacking my system trying to break through apparmor. It shows up in auditd log file. Its a mile long. Using this as your endpoint protection or a similar app protects your operating system and  the LAN side backend of opnsense which is open and everything is allowed, thats how they were breaking my separate opnsense router. The app called apparmor can be more or less restrictive to suit your needs. I am using it on default. When the other extensions are installed then execute sudo systemctl restart apparmor, or just restart your computer.  It updates the profiles. There are browser jails but most research said they cause problems due to being to restrictive. Only use in extreme cases of attack. Auditd log will show the actual commands they tried to execute on your computer. Hope this helps anyone experiencing intrusion through the browser or just need some more security. These are the kind of attacks suricata is working on, but will be in the future, maybe suricata 9. We have to start decrypting. Which will take more processing power, opnsense may be split due to size of unit to do this., I mean more security will mean a bigger unit to run it all., or have options on how much security is running with different size router units as they already do. Decrypting headers is one thing, decrypting full payload and checking it is another.

Suricata is asking for decoded pcaps in HTTP3 which is based on QUIC
They are running tests on the newer scanning of key words.
The big companies just decode it all, and dont separate out what they are looking for.

Suricata is working on implementing a firewall, it can be enabled or not.
It is adding detection of a further eight protocols. Which is good because the rules I wrote do nothing when the protocol cant be detected.
Suricata is moving toward being totally written in rust vs c for freebsd.
There was a mention of maybe splitting IDS from IPS. Not sure how extensive they are talking, like two separate systems, I dont know.
Suricata runs in front of the firewall on opnsense.
I dont mind two firewalls. I would actually have three being there is one on the operating system separate from the router. Which actually blocks some things opnsense firewall and suricata do not catch. It may could be blocked in suricata, I havnt looked for a rule to cover it.

Under policies there is a ruleset box for the policy being made.
Under the box you can click on select all, or click on the box and individually select rulesets.
I dont think it will let you leave it blank, been a minute