Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - zlinuxboy

Pages1
#1
Intrusion Detection and Prevention / Re: Help me to get a valid et pro telemetry token
November 08, 2025, 01:45:25 PM
hello, sir.

I got no reply after sent letter to sales@opnsense.org and contact@opnsense.org after 3 days. any suggestion to push a progress?
#2
Intrusion Detection and Prevention / Re: How to apply drop action when in IPS mode?
November 05, 2025, 10:07:15 AM
I create & apply a new policy:

```
/usr/local/etc/suricata/rule-policies.config
[71b2ac5f6ed2473d94c5ad5f4b2ae28b]
enabled=1
prio=0
rulesets=emerging-attack_response.rules,emerging-dos.rules,emerging-exploit.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-info.rules,emerging-malware.rules,emerging-misc.rules,emerging-p2p.rules,emerging-scan.rules,emerging-sql.rules,opnsense.social_media.rules
content=
action=alert
__target_action__=drop
__policy_id__=71b2ac5f-6ed2-473d-94c5-ad5f4b2ae28b
__policy_description__=-
```


BEFORE created policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json

```
...
{
  "timestamp": "2025-11-05T16:30:03.731607+0800",
  "flow_id": 890432422023188,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 64517,
  "dest_ip": "172.16.14.100",
  "dest_port": 5802,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2002910,
    "rev": 6,
    "signature": "ET SCAN Potential VNC Scan 5800-5820",
    "category": "Attempted Information Leak",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:30:03.731607+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 64517,
    "dest_port": 5802
  }
}
...

ATTACKER:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:29 EST
Nmap scan report for 172.16.14.100
Host is up (0.0010s latency).
Not shown: 999 closed tcp ports (reset)
PORT  STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds

```

AFTER created and apply a policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json
```
{
  "timestamp": "2025-11-05T16:43:19.949197+0800",
  "flow_id": 2106448014443784,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 54695,
  "dest_ip": "172.16.14.100",
  "dest_port": 3306,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 2010937,
    "rev": 3,
    "signature": "ET SCAN Suspicious inbound to mySQL port 3306",
    "category": "Potentially Bad Traffic",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:43:19.949197+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 54695,
    "dest_port": 3306
  }
}


attacker:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:43 EST
Nmap scan report for 172.16.14.100
Host is up (0.0018s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open    ssh
1433/tcp filtered ms-sql-s
1521/tcp filtered oracle
3306/tcp filtered mysql
5432/tcp filtered postgresql

Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds


question:

1. Is that the righ method to create such policy to achieve my goal?
2. why the nmap show 22 is open, but 3306 is filtered after applied the new created policy(action is from alter to drop)?
#3
Intrusion Detection and Prevention / How to apply drop action when in IPS mode?
November 05, 2025, 09:32:12 AM
Hello, community
I just touch suricata yesterday, there are some new concept I am trying to catchup.
I have download and apply et open rules, and successful make suricata generated an alert by utilizing an attacker@$external_net to nmap -sS -T4 server@$home_net.
But even after I enable IPS mode, suricata still allow packet go through which match the et open rules.
How to make suricata to drop the evil packet if match rules when on IPS mode?
#4
Intrusion Detection and Prevention / Re: Help me to get a valid et pro telemetry token
November 05, 2025, 08:55:13 AM
I did, I have been sent two letters to sales@opnsense.org and contact@opnsense.org, yesterday and half a hour ago. no reply
#5
Intrusion Detection and Prevention / Help me to get a valid et pro telemetry token
November 05, 2025, 08:30:47 AM
I have been apply an order of et pro telemetry. but the system cancelled it automatically, but I don't know why.
How to correctly apply it?
---
here is the reason what it said:
The following note has been added to your order:

Your order has been declined due to inconsistencies in your application, if you believe the provided data is valid, just send an email to contact@opnsense.com and ask us to validate your application manually.
Pages1