1
Intrusion Detection and Prevention / Re: IPS not working
« on: April 01, 2020, 01:12:42 pm »
short version: no, longer version https://docs.opnsense.org/manual/ips.html#choosing-an-interface
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Intrusion Detection and Prevention / Re: IPS not working
« on: March 30, 2020, 05:20:53 pm »
you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.
3
Intrusion Detection and Prevention / Re: IPS not working
« on: March 30, 2020, 05:13:39 pm »
Usually you don't accept a lot of inbound traffic on wan (default block), most threats are triggered inside. knowing that someone fired a package to your firewall that would have been blocked anyway, isn't very relevant info either (it's not that you can block it more than you already did).
Since you're behind NAT, a lot of the concept of IDS got lost, since you can't distinct homenet from the big bad outside world. If your in a routed (non nat) environment, you can measure on wan as well, most IDS setups aren't inline anyway, in which case you wouldn't know about wan/lan only see traffic with proper notion of what's inside and outside (defined as HOMENET).
If you can spare some time, it's a good idea to read a bit about the rules of the engine (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html), the first portion of the rule often explains pretty well why "home" is so important (e.g. https://rules.emergingthreats.net/open/suricata-4.0/rules/emerging-exploit.rules)
Since you're behind NAT, a lot of the concept of IDS got lost, since you can't distinct homenet from the big bad outside world. If your in a routed (non nat) environment, you can measure on wan as well, most IDS setups aren't inline anyway, in which case you wouldn't know about wan/lan only see traffic with proper notion of what's inside and outside (defined as HOMENET).
If you can spare some time, it's a good idea to read a bit about the rules of the engine (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html), the first portion of the rule often explains pretty well why "home" is so important (e.g. https://rules.emergingthreats.net/open/suricata-4.0/rules/emerging-exploit.rules)
4
Intrusion Detection and Prevention / Re: IPS not working
« on: March 30, 2020, 04:49:26 pm »
use lan....
5
Intrusion Detection and Prevention / Re: IPS not working
« on: March 30, 2020, 04:35:23 pm »
let's agree to disagree, a lot of alerts doesn't really tell a lot about the quality of the setup. Most ET-open/pro rules are quite properly targeted preventing false-positives.
The easiest test, that always works when properly setup is the eicar test over http.
https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1
The easiest test, that always works when properly setup is the eicar test over http.
Code: [Select]
curl http://pkg.opnsense.org/test/eicar.com.txt
https://github.com/opnsense/rules/blob/master/src/opnsense.test.rules#L1
6
Intrusion Detection and Prevention / Re: IPS not working
« on: March 30, 2020, 03:21:56 pm »
Hi,
I've probably posted this before, but if your running IDPS on your wan interface and Suricata is active, you're likely using the wrong interface.
The docs (https://docs.opnsense.org/manual/ips.html) explain a bit why you should use ID[P]S pre-nat as well, most rules assume the local network to be visible, which isn't the case when your capturing packets post-nat.
In some (very rare) cases you might want to use your wan interface as home network, in which case you could configure it manually, but since most home networks have dhcp like setups, this often isn't very practical. (the home networks should be static)
Best regards,
Ad
I've probably posted this before, but if your running IDPS on your wan interface and Suricata is active, you're likely using the wrong interface.
The docs (https://docs.opnsense.org/manual/ips.html) explain a bit why you should use ID[P]S pre-nat as well, most rules assume the local network to be visible, which isn't the case when your capturing packets post-nat.
In some (very rare) cases you might want to use your wan interface as home network, in which case you could configure it manually, but since most home networks have dhcp like setups, this often isn't very practical. (the home networks should be static)
Best regards,
Ad
7
General Discussion / Re: I have privacy conserns about the new GeoIp list from v. 20
« on: March 25, 2020, 03:09:58 pm »
please, please, please, read articles in the forum before complaining about the change of policy. We always supplied Maxmind's list, at the end of last year they had to change their policy due to legal restrictions.
A lot has been written on this subject, both here in this forum as on GitHub (https://github.com/opnsense/core/issues/3856)
Best regards,
Ad
A lot has been written on this subject, both here in this forum as on GitHub (https://github.com/opnsense/core/issues/3856)
Best regards,
Ad
8
General Discussion / Re: I have privacy conserns about the new GeoIp list from v. 20
« on: March 25, 2020, 02:44:51 pm »9
20.1 Production Series / Re: HA sync not automatically anymore
« on: March 13, 2020, 09:19:44 am »
No it's not, but all required components are nicely laid out in the docs https://docs.opnsense.org/
Enterprises can also opt for commercial support to reach their goals by the way.....
Automatic sync won't come back for obvious reasons, it was never complete (and theoretically can't be given the way its implemented) and always left you in an uncertain state.
Some services restarted, some not, no way to tell which ones where ok, and quite some locking issues as described in the ticket (yes, also on large enterprises, it really doesn't matter how big the box is if you can't reach it).
Most large enterprises have procedures for updating equipment including rollback plans, which is where our new approach nicely fits in by the way.
Ways forward are pretty simple, one can contribute and maintain a plugin to keep track of config changes and take action when needed or contribute a pull request in core (as long as it solves all concerns mentioned earlier), the first one is usually the easiest one to start with.
Just keep in mind, the world changes every day, the current sync mechanism might be replaced with something new in the future as well.
Best regards,
Ad
Enterprises can also opt for commercial support to reach their goals by the way.....
Automatic sync won't come back for obvious reasons, it was never complete (and theoretically can't be given the way its implemented) and always left you in an uncertain state.
Some services restarted, some not, no way to tell which ones where ok, and quite some locking issues as described in the ticket (yes, also on large enterprises, it really doesn't matter how big the box is if you can't reach it).
Most large enterprises have procedures for updating equipment including rollback plans, which is where our new approach nicely fits in by the way.
Ways forward are pretty simple, one can contribute and maintain a plugin to keep track of config changes and take action when needed or contribute a pull request in core (as long as it solves all concerns mentioned earlier), the first one is usually the easiest one to start with.
Just keep in mind, the world changes every day, the current sync mechanism might be replaced with something new in the future as well.
Best regards,
Ad
10
20.1 Production Series / Re: flowd not working after upgrade.
« on: March 07, 2020, 07:14:50 pm »
Normally the netgraph modules should be loaded automatically, but not all of them seem to be doing that at the moment.
If you can identify which ones we should add by minimal for your issue and open a ticket here https://github.com/opnsense/core/issues we can add those in the netflow loader script, like the ng_ether module added here https://github.com/opnsense/core/commit/4edbacc5193319337f4c1004e2505fe0821cb0c3
You can see the ones loaded (automatically) using the following command:
Best regards,
Ad
If you can identify which ones we should add by minimal for your issue and open a ticket here https://github.com/opnsense/core/issues we can add those in the netflow loader script, like the ng_ether module added here https://github.com/opnsense/core/commit/4edbacc5193319337f4c1004e2505fe0821cb0c3
You can see the ones loaded (automatically) using the following command:
Code: [Select]
kldstat | grep ng_
Best regards,
Ad
11
Intrusion Detection and Prevention / Re: Suricata and loopback interface
« on: March 06, 2020, 02:59:43 pm »Quote
Hopefully with some more info I might get some more interest in solving the issue.
IPS mode is only supported on real (physical) interfaces, as described in the docs https://docs.opnsense.org/manual/ips.html#general-setup
Best regards,
Ad
13
Web Proxy Filtering and Caching / Re: Squid basic_pam_auth module issue
« on: March 04, 2020, 11:47:40 am »
Hi Martin,
Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?
Installable with the following command:
It's a side affect of something we need in the future to pass data to OpenVPN, but we seemed to have missed that squid pam just passes the output.
Best regards,
Ad
Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?
Installable with the following command:
Code: [Select]
opnsense-patch 41cf191
It's a side affect of something we need in the future to pass data to OpenVPN, but we seemed to have missed that squid pam just passes the output.
Best regards,
Ad
14
20.1 Production Series / Re: ha sync - firewall rule sync after upgrade not working
« on: March 03, 2020, 03:49:01 pm »
yes, we should and we did.... https://github.com/opnsense/changelog/blob/master/doc/20.1/20.1.r1#L29
15
20.1 Production Series / Re: ha sync - firewall rule sync after upgrade not working
« on: March 03, 2020, 02:57:24 pm »
yes, as usual, you can find more background about choices we have made in the past on GitHub https://github.com/opnsense/core/issues/3635
Best regards,
Ad
Best regards,
Ad