Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - xmichielx

#1
I see that the new 18.7.10 has Suricata 4.1.2 and was wondering if people find some performance differences with the former Suricata (4.0.*) version?
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.
#2
Hi,

I am using the latest OPNsense (18.1.3 on APU2) which works fine with Suricata.
I am using the IDS and not the IPS modus, I just want to have logging and that logging sent remotely to a rsyslog server.
I see alerts in the Alerts tab and I have set up rsyslog and selected Everything to be send to the rsyslog server.
On the rsyslog server I see a lot of firewall traffic but no suricata alerts coming through although I see them in the appearing in the Alerts.
Are alerts only logged when you use the IPS and set rules to drop? (which I don't want)
#3
I am sending notifcation emails through my own Postfix mailserver which only allows TLSv1.2.
OPNsense only supports TLSv1 and not newer versions:

TLSv1.1 + TLSv1.2:

Mar  8 10:18:10 server postfix/smtpd[8048]: SSL_accept error from dhcp-077-249-000-044.chello.nl[77.249.0.44]: -1
Mar  8 10:18:10 server postfix/smtpd[8048]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:974:
Mar  8 10:18:10 server postfix/smtpd[8048]: lost connection after STARTTLS from dhcp-077-249-000-044.chello.nl[77.249.0.44]
Mar  8 10:18:10 server postfix/smtpd[8048]: disconnect from dhcp-077-249-000-044.chello.nl[77.249.0.44] ehlo=1 starttls=0/1 commands=1/2


TLSv1:

Mar  8 10:18:35 server postfix/smtpd[8099]: Anonymous TLS connection established from dhcp-077-249-000-044.chello.nl[77.249.0.44]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

Is there a reason why newer and more secure TLS versions are not supported in the smtp client of OPNsense?
#4
Hi!
I am trying OPNSense:
OPNsense 17.1.7-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2k 26 Jan 2017

On an APU2C4 with Suricata enabled, IPS enabled, promiscious enabled, interface; WAN,new rules installed and enabled ET-scan and more.
I also changed the rules from alert to drop.
No matter how hard I try: I don't see any blocks in my alerts tab using nmap -sS/nmap -sT against the WAN interface from a VPS to my OPNsense box.
I also noticed that I see no alerts at all, only STREAM alerts but no drops (I also expect Dshield and Comrpomised alerts from chinese ip adressess but no alerts at all).

My questions:

1) am I missing something to trigger the alerts?
2) I did the the eicar download before with the OPNsense test rules but no other rules are triggered
3) I have a VLAN interface connected to igb0 and use hardware offloading, all other hard offloading is disabled (by default) should I disable the VLAN interface? I also use port forwarding for SSH, HTTP & HTTPS can this cause issues?

I haven't experienced this with PFsense with suricata and/or snort.

Any pointers would be more then welcome :)

#5
Hello,

I am very happy with the OPNsense 17.1.6 amd64 box I am running on a PCengines APU2d4 (4 cores, 4 GB memory and 3 gigabit interfaces with a microSSD of 14 GB) :)
I am trying out the IDS/IPS to block malware using the ET malware/trojan/shellcode and 3 more plugins + the 4 SSL (gedotracker etc.) plugins and the OPNsense test plugin.
All works well and the eicar.txt is happily dropped when the IPS is enabled and default action is drop.
Whenever I try to download a large file, for example an ISO from ftp.nluug.nl, the speed is capped at 5 MB/s wheres my max speed would be around 17,3 MB/s.
I have tracked it down to the IDS/IPS/Suricata service and disabling the service gives full blown internet again but I was wondering if the IDS/IPS could really gave such a performance hit knowing that there is not a lot of traffic going through (it's an ziggo cable connection at home so not much users or devices), the APU2D4 has 4 GB ram and 4 cores (suricata can use all cores if I'm not mistaken) and I just enabled a few plugins.
Perhaps also good to know is that I have a VLAN1 interface linked to the igb0 (or LAN interface) which is 1 GB + have enabled netflow + insight.

Is this normal behaviour and should I really run a very expensive i7 hectacore with 32 GB of RAM or should the APU2D4 be able to track its traffic?

Cheers and thanks :)

Michiel
#6
17.1 Legacy Series / Some questions about 17.1 beta
January 09, 2017, 03:46:07 PM
Hi,

Got some questions about the new beta which I am using (and very happy with :) ) :

- Can I easily upgrade to the 17 final when its ready from the current beta version?
- Is there an option to add scripts for dnsmasq adhost blocking? and keep it stored on the disk after an upgrade?
- Is there an easy way to enforce all outbound DNS requests (transparent) to the OPNsense box so I can enforce DNS in my network? Should I remove the automatic outbound rules and use the hybrid rules intead and create a new outbound NAT rule?

Thanks for any pointers :)

Michiel
#7
17.1 Legacy Series / SSH installation on APU 2
January 07, 2017, 06:12:24 PM
Hi,

How can I install OPNsense 17.1 beta on an PCEngines APU 2 over SSH?
I can create an USB installation and boot from USB but what should I do next to install OPNsense over SSH?
Connect port 1 to LAN DHCP and connect to SSH (find out which DHCP lease OPNsense installer has with nmap) and then use which credentials?
I tried the documentation/wiki and reading the blog but could not find anything related except for the mention:
'installer now boots up with SSH for headless remote installation'

Any help is much appreciated :)

PS..I want to try to avoid using the console installation as it is a b!t(ch to run with the different speed settings etc.
I rather do it relaxed from my couch over SSH ;)

Cheers,

Michiel
#8
Hi,

I want to store a bash script on the opnsense filesystem without it get overwritten after an upgrade.
It's a script that downloads an ads block list for unbound and stores it in /var/unbound/ads.conf and reloads unbound.

My question; how do I make the script and the ads.conf file persistent on the opnsense file system so it survives an upgrade.