"
eventually it loaded after about 20 minutes and then could set it back to 1000.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
Intrusion Detection and Prevention / Re: Suricata alerts view set to 5000 but now hung on processing request
March 08, 2025, 06:37:45 AM #2
Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS
March 06, 2025, 07:00:50 PM
So these are the rulesets and alerts I've typically been blocking. Curious if others have found some unique ones that should be changed from alert to drop and can share.
ET INFO Observed DNS over HTTPS Domain
ETPRO MALWARE
ETPRO PHISHING
ETPRO INFO Dynamic DNS Domain
ETPRO INFO Observed DNS Query for DDNS domain
ETPRO INFO DYNAMIC_DNS Query
ETPRO INFO DYNAMIC_DNS
ET CINS Active Threat Intelligence Poor Reputation IP group
ET SCAN Sipvicious User-Agent Detected
ET Scan
NMAP
MITRE Recon
MITRE Discovery
MITRE Lateral Movement
MITRE Initial Access
MITRE Persistence
MITRE Collection
MITRE Command and Control
MITRE Defense Evasion
MITRE Exfiltration
MITRE Impact
MITRE Resource Development
Exploit Kit
Windows
Kerberos
Powershell
Remote Code Execution
Security Feature Bypass
Windows Firewall
Print Spooler
DLL Hijack Command
Metasploit
Ransomware
Active Directory
Netgear
Cisco
Nexus
QNAP
VMware
OSSIM
Proofpoint
Defender
ET Policy
ET EXPLOIT
ET INFO
ET MALWARE
ET USER_AGENTS
ET WEB_SPECIFIC_APPS
INDICATOR-COMPROMISE
OS-WINDOWS
NETBIOS
SERVER-WEBAPP
SERVER-OTHER
SERVER-IIS
BROWSER-CHROME
BROWSER-IE
BROWSER-EDGE
BROWSER-TOR
EXPLOIT-KIT
ET ATTACK_RESPONSE
ET WEB_CLIENT
ET HUNTING
OS-Windows
OS-Linux
ET INFO Observed DNS over HTTPS Domain
ETPRO MALWARE
ETPRO PHISHING
ETPRO INFO Dynamic DNS Domain
ETPRO INFO Observed DNS Query for DDNS domain
ETPRO INFO DYNAMIC_DNS Query
ETPRO INFO DYNAMIC_DNS
ET CINS Active Threat Intelligence Poor Reputation IP group
ET SCAN Sipvicious User-Agent Detected
ET Scan
NMAP
MITRE Recon
MITRE Discovery
MITRE Lateral Movement
MITRE Initial Access
MITRE Persistence
MITRE Collection
MITRE Command and Control
MITRE Defense Evasion
MITRE Exfiltration
MITRE Impact
MITRE Resource Development
Exploit Kit
Windows
Kerberos
Powershell
Remote Code Execution
Security Feature Bypass
Windows Firewall
Print Spooler
DLL Hijack Command
Metasploit
Ransomware
Active Directory
Netgear
Cisco
Nexus
QNAP
VMware
OSSIM
Proofpoint
Defender
ET Policy
ET EXPLOIT
ET INFO
ET MALWARE
ET USER_AGENTS
ET WEB_SPECIFIC_APPS
INDICATOR-COMPROMISE
OS-WINDOWS
NETBIOS
SERVER-WEBAPP
SERVER-OTHER
SERVER-IIS
BROWSER-CHROME
BROWSER-IE
BROWSER-EDGE
BROWSER-TOR
EXPLOIT-KIT
ET ATTACK_RESPONSE
ET WEB_CLIENT
ET HUNTING
OS-Windows
OS-Linux
#3
Intrusion Detection and Prevention / Suricata alerts view set to 5000 but now hung on processing request
February 28, 2025, 10:17:58 AM
Hello,
does anyone know how to reset the Suricata alerts page if I curiously changed the view to 5000 but now its been hung on "processing request". I can't seem to do it in the interface by setting it back to the default 7 results or even 1000 (it seems stable in 1000), and I'm not finding a setting in google on how to reset it via command line.
Have others run into this issue in the past and gotten around it?
does anyone know how to reset the Suricata alerts page if I curiously changed the view to 5000 but now its been hung on "processing request". I can't seem to do it in the interface by setting it back to the default 7 results or even 1000 (it seems stable in 1000), and I'm not finding a setting in google on how to reset it via command line.
Have others run into this issue in the past and gotten around it?
#4
Intrusion Detection and Prevention / Re: Empty rules with ET Pro Telemetry
February 26, 2025, 07:10:39 PM
As a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.
A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.
Side of the edge of caution if you mess around in CLI against Suricata's rulesets.
A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.
Side of the edge of caution if you mess around in CLI against Suricata's rulesets.
#5
Intrusion Detection and Prevention / Re: Dedicated IPS box: how to get the default deny policy to not block all traffic
February 24, 2025, 02:27:23 AM
I sent back the Protectli V1210 and got a V1410 and with pfSense, it seems to work allot better than the V1210. I think because I was trying to force (and it worked-ish) the USB nic for management; it caused problems with routing and filtering.
#6
Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS
February 24, 2025, 01:43:42 AM
I strongly advise if your firewall has the memory to enable all MITRE rulesets at the bare minimum.
#7
Intrusion Detection and Prevention / Re: Empty rules with ET Pro Telemetry
February 24, 2025, 01:42:11 AM
ET Pro Telemetry is a paid license, do you have a valid token issued?
You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.
You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.
#8
Intrusion Detection and Prevention / Re: Dedicated IPS box: how to get the default deny policy to not block all traffic
February 18, 2025, 10:39:35 PM
So I've setup the transparent bridge identical to this youtube video and it doesn't appear to work.
https://www.youtube.com/watch?v=Rb4vlN_Hf-U
Ironically, I saved the OPNsense config and deployed pFsense to the Protectli V1211 vault, and it is working as a transparent bridge-based inline IPS, so I'm left pondering what is broken in OPNsense in version 25.1.1.
The youtube video had it working in 24.7.
Going to let this sit for a little bit and then I'm going to mock this up in my VMware cluster and see if I cant tinker away at why 25.1.1 is broken compared to 24.7 for a transparent bridge based IPS.
https://www.youtube.com/watch?v=Rb4vlN_Hf-U
Ironically, I saved the OPNsense config and deployed pFsense to the Protectli V1211 vault, and it is working as a transparent bridge-based inline IPS, so I'm left pondering what is broken in OPNsense in version 25.1.1.
The youtube video had it working in 24.7.
Going to let this sit for a little bit and then I'm going to mock this up in my VMware cluster and see if I cant tinker away at why 25.1.1 is broken compared to 24.7 for a transparent bridge based IPS.
#9
Intrusion Detection and Prevention / Dedicated IPS box: how to get the default deny policy to not block all traffic
February 15, 2025, 05:13:52 PM
Hello,
I've deployed OPNsense 25.1.1 to a Protectli 2 port vault (I'm using a persistently configured USB 3.0 NIC for management), and I placed the LAN and WAN in a bridge. I've enabled promiscious mode and set IPv4 & IPv6 to none.
I've set the firewall to have an 'inbound any any any any rule' and also placed a 'inbound udp any to 255.255.255.255 over port 67' for DHCP leases from Arris modem. I've placed the DHCP rule above the any any any any rule.
Right now, even with enabling allot of the Advanced firewall setting (Static route filtering, Disable reply-to, and Firewall Optimization set to conservative) minus disabling the firewall itself, I still cant get the OPNsense to simply be in 'inline' mode and to simply 'monitor' the traffic that flows thru the bridge as the default deny rule blocks everything.
Does anyone know how to effectively stop the firewall from using the default deny firewall rule and only let the Suricata IPS block based on detection(s) defined in the rulesets while allowing DHCP traffic to issue an IP to an upstream OPNsense firewall and for non-nefarious traffic to otherwise flow from the ISP modem to the 1st tier firewall without restrictions?
One key setting I found in past deployments of OPNsense that I can't seem to find in 25.1.1 is: "Disable stateful filtering for bridge interfaces"; does anyone know where this moved or morphed into?
I did find two tunables called "net.link.bridge.pfil_bridge set to 0 && net.link.bridge.pfill_member set to 0" but it seems the default deny, as mentioned is still blocking, so what gives? O.o
Goal: get Suricata on this 2 port vault in transparent IPS mode, and then on the upstream firewall enable Zenarmor on the WAN port. Effectively offloading the IPS to a dedicated box.
I've deployed OPNsense 25.1.1 to a Protectli 2 port vault (I'm using a persistently configured USB 3.0 NIC for management), and I placed the LAN and WAN in a bridge. I've enabled promiscious mode and set IPv4 & IPv6 to none.
I've set the firewall to have an 'inbound any any any any rule' and also placed a 'inbound udp any to 255.255.255.255 over port 67' for DHCP leases from Arris modem. I've placed the DHCP rule above the any any any any rule.
Right now, even with enabling allot of the Advanced firewall setting (Static route filtering, Disable reply-to, and Firewall Optimization set to conservative) minus disabling the firewall itself, I still cant get the OPNsense to simply be in 'inline' mode and to simply 'monitor' the traffic that flows thru the bridge as the default deny rule blocks everything.
Does anyone know how to effectively stop the firewall from using the default deny firewall rule and only let the Suricata IPS block based on detection(s) defined in the rulesets while allowing DHCP traffic to issue an IP to an upstream OPNsense firewall and for non-nefarious traffic to otherwise flow from the ISP modem to the 1st tier firewall without restrictions?
One key setting I found in past deployments of OPNsense that I can't seem to find in 25.1.1 is: "Disable stateful filtering for bridge interfaces"; does anyone know where this moved or morphed into?
I did find two tunables called "net.link.bridge.pfil_bridge set to 0 && net.link.bridge.pfill_member set to 0" but it seems the default deny, as mentioned is still blocking, so what gives? O.o
Goal: get Suricata on this 2 port vault in transparent IPS mode, and then on the upstream firewall enable Zenarmor on the WAN port. Effectively offloading the IPS to a dedicated box.
#10
Zenarmor (Sensei) / Re: Zenarmor packet engine not working after updateto 25.1.1
February 13, 2025, 06:34:06 AM
got mine to work again.
I did a backup on Zenarmor a couple of days ago, uninstalled Zenarmor, rebooted firewall, and then reinstalled ZenArmor and restored the backup and now the reports are working. The plugin did show up as orphaned in the plugin after doing 25.1.1.
Shall see if these reports still work over the coming days.
I did a backup on Zenarmor a couple of days ago, uninstalled Zenarmor, rebooted firewall, and then reinstalled ZenArmor and restored the backup and now the reports are working. The plugin did show up as orphaned in the plugin after doing 25.1.1.
Shall see if these reports still work over the coming days.
#11
Zenarmor (Sensei) / Re: Zenarmor packet engine not working after updateto 25.1.1
February 13, 2025, 06:14:28 AM
I can confirm that after upgrading to 25.1.1, the Zenarmor dashboard stops flowing in reports. I'm also noticing that when you make changes to the default layer 7 policy for blocking/allowing categories, you need to reboot the firewall for the policy to take effect physically.
prior to upgrading 25.1 this did not occur on Zenarmor.
Should be noted I'm paying for the Zenarmor home subscription and none of the reports are showing up in the cloud dashboard either.
prior to upgrading 25.1 this did not occur on Zenarmor.
Should be noted I'm paying for the Zenarmor home subscription and none of the reports are showing up in the cloud dashboard either.
#12
25.1, 25.4 Production Series / Re: OSPF won't form a relationship from the OPNsense on 25.1
February 08, 2025, 10:44:43 AM
@My_Network - thank you for your help. Finally got the OPNsense fully configured, all in all took me about 3 weeks in the evenings till about 3 am to finally figure it out.
@Moderators - please feel free to delete this entire posting.
@Moderators - please feel free to delete this entire posting.
#13
25.1, 25.4 Production Series / Re: OSPF won't form a relationship from the OPNsense on 25.1
February 07, 2025, 08:26:17 PM
problem resolved.
#14
25.1, 25.4 Production Series / Re: OSPF won't form a relationship from the OPNsense on 25.1
February 06, 2025, 09:24:58 AM
problem resolved.
#15
25.1, 25.4 Production Series / Re: Management VLAN Firewall Rules: First Custom Rule Set, a Few Questions
February 04, 2025, 09:36:40 PM
So, something that might help you.
I had a similar issue with getting access to the management port, so what I did was this:
Your port 8443 it seems for the GUI.
So on the firewall:rules[interface] of which I think you want LAN to be the one to access the GUI, then create a firewall rule like:
Pass >> Inbound >>> Protocol: TCP/IP >>>> Source (LAN subnet i.e 192.168.100.0/24) >>> source port (any) >>> Destination (This Firewall) >>> Destination port (8443) >>> gateway (not defined) >>> schedule (not defined)
Hope this helps. ^_^
I had a similar issue with getting access to the management port, so what I did was this:
Your port 8443 it seems for the GUI.
So on the firewall:rules[interface] of which I think you want LAN to be the one to access the GUI, then create a firewall rule like:
Pass >> Inbound >>> Protocol: TCP/IP >>>> Source (LAN subnet i.e 192.168.100.0/24) >>> source port (any) >>> Destination (This Firewall) >>> Destination port (8443) >>> gateway (not defined) >>> schedule (not defined)
Hope this helps. ^_^
