Messages

Zenarmor is assigned to the lan. What should Suricata (IDS)  be assigned to : the wan or the wireguard_interface?

Zenarmor says: "When you use IPS & Zenarmor together, you can only use the WAN interface for Suricata."

If running Suricata on your WAN interface is a good idea, depends on your situation and your hardware ressources.

Someone on Reddit had the following experience with Suricata on WAN:
"We found that the cheapest of cheap rented DDoS attacks could overwhelm our machine because now not only were we using CPU cycles to block them with the firewall, but we were also inspecting every packet with Suricata as well. We would see CPU spikes to 99% and traffic ground to a halt. We went to LAN only, and now we only see the blips from these $20 DDoS attacks."

Hello everyone,

I am currently using OPNsense to separate a test network from our intranet.
At the moment, I am struggling with the successful configuration of IDS/IPS/Suricata. Specifically, it fails the test with Eicar in the unencrypted version, i.e., HTTP.

My configuration for IDS/IPS/Suricata is as follows:

•     Enabled √
•     IPS mode √
•     active on both Interfaces, LAN & WAN
•     WAN and LAN are included in "home networks"

In Intrusion Detection/Administration/Downloads the rule "OPNsense-App-detect/test" is enabled and downloaded. No other rules are enabled or even downloaded.
In Intrusion Detection/Administration/Rules, opnsense.test.rules is also enabled with the default action "Alert".
A policy for this rule valid for the actions/conditions "Alert" & 'Drop' resulting in the new action "Drop" has been created and applied.

If I run "curl http://pkg.opnsense.org/test/eicar.com.txt" from the test network, it goes through without any problems and I see it under the alerts, unfortunately with "Action: Allowed" – despite the active policy that should turn 'Alert' into "Drop."

If I manually change the test rule to "Drop," it is immediately dropped. I can't figure out why the policy isn't working.

Have I taken a wrong turn somewhere, am I overlooking something?

Thank you very much for any food for thought.

Hallo zusammen,

ich nutze OPNsense momentan, um ein Testnetzwerk vom Intranet zu trennen.
Momentan hadere ich mit der erfolgreichen Konfiguration von IDS/IPS/Suricata, speziell scheitert es schon am Test mit Eicar in der unverschlüsselten Variante, also HTTP.

Meine Konfiguration für IDS/IPS/Suricata sieht wie folgt aus:

• Enabled √
• IPS mode √
• Interfaces LAN & WAN
• in Home networks sind WAN und LAN erfasst

Die Regel "OPNsense-App-detect/test" ist enabled und heruntergeladen.
In den Rules ist die Regel opnsense.test.rules auch mit der Standard-Action "Alert" enabled.
Eine Policy für diese Regel mit Action "Alert" & "Drop" sowie New Action "Drop" ist erstellt und angewendet.

Mache ich aus dem Testnetzwerk einen "curl http://pkg.opnsense.org/test/eicar.com.txt", geht das problemlos durch und ich sehe das unter den Alerts, leider mit "Action: Allowed" - trotz der aktiven Policy, die aus "Alert" ein "Drop" machen sollte.

Ändere ich per Hand die Testregel auf "Drop", dann wird auch sofort gedropt - selbst ohne Policy.

Bin ich irgendwo falsch abgebogen, übersehe ich die ganze Zeit etwas?

Vielen Dank für jeden Denkanstoß.