Topics

I see that the new 18.7.10 has Suricata 4.1.2 and was wondering if people find some performance differences with the former Suricata (4.0.*) version?
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.

Hi,

I am using the latest OPNsense (18.1.3 on APU2) which works fine with Suricata.
I am using the IDS and not the IPS modus, I just want to have logging and that logging sent remotely to a rsyslog server.
I see alerts in the Alerts tab and I have set up rsyslog and selected Everything to be send to the rsyslog server.
On the rsyslog server I see a lot of firewall traffic but no suricata alerts coming through although I see them in the appearing in the Alerts.
Are alerts only logged when you use the IPS and set rules to drop? (which I don't want)

I am sending notifcation emails through my own Postfix mailserver which only allows TLSv1.2.
OPNsense only supports TLSv1 and not newer versions:

TLSv1.1 + TLSv1.2:

Mar  8 10:18:10 server postfix/smtpd[8048]: SSL_accept error from dhcp-077-249-000-044.chello.nl[77.249.0.44]: -1
Mar  8 10:18:10 server postfix/smtpd[8048]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:974:
Mar  8 10:18:10 server postfix/smtpd[8048]: lost connection after STARTTLS from dhcp-077-249-000-044.chello.nl[77.249.0.44]
Mar  8 10:18:10 server postfix/smtpd[8048]: disconnect from dhcp-077-249-000-044.chello.nl[77.249.0.44] ehlo=1 starttls=0/1 commands=1/2


TLSv1:

Mar  8 10:18:35 server postfix/smtpd[8099]: Anonymous TLS connection established from dhcp-077-249-000-044.chello.nl[77.249.0.44]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

Is there a reason why newer and more secure TLS versions are not supported in the smtp client of OPNsense?

Hi!
I am trying OPNSense:
OPNsense 17.1.7-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2k 26 Jan 2017

On an APU2C4 with Suricata enabled, IPS enabled, promiscious enabled, interface; WAN,new rules installed and enabled ET-scan and more.
I also changed the rules from alert to drop.
No matter how hard I try: I don't see any blocks in my alerts tab using nmap -sS/nmap -sT against the WAN interface from a VPS to my OPNsense box.
I also noticed that I see no alerts at all, only STREAM alerts but no drops (I also expect Dshield and Comrpomised alerts from chinese ip adressess but no alerts at all).

My questions:

1) am I missing something to trigger the alerts?
2) I did the the eicar download before with the OPNsense test rules but no other rules are triggered
3) I have a VLAN interface connected to igb0 and use hardware offloading, all other hard offloading is disabled (by default) should I disable the VLAN interface? I also use port forwarding for SSH, HTTP & HTTPS can this cause issues?

I haven't experienced this with PFsense with suricata and/or snort.

Any pointers would be more then welcome :)

Hello,

I am very happy with the OPNsense 17.1.6 amd64 box I am running on a PCengines APU2d4 (4 cores, 4 GB memory and 3 gigabit interfaces with a microSSD of 14 GB) :)
I am trying out the IDS/IPS to block malware using the ET malware/trojan/shellcode and 3 more plugins + the 4 SSL (gedotracker etc.) plugins and the OPNsense test plugin.
All works well and the eicar.txt is happily dropped when the IPS is enabled and default action is drop.
Whenever I try to download a large file, for example an ISO from ftp.nluug.nl, the speed is capped at 5 MB/s wheres my max speed would be around 17,3 MB/s.
I have tracked it down to the IDS/IPS/Suricata service and disabling the service gives full blown internet again but I was wondering if the IDS/IPS could really gave such a performance hit knowing that there is not a lot of traffic going through (it's an ziggo cable connection at home so not much users or devices), the APU2D4 has 4 GB ram and 4 cores (suricata can use all cores if I'm not mistaken) and I just enabled a few plugins.
Perhaps also good to know is that I have a VLAN1 interface linked to the igb0 (or LAN interface) which is 1 GB + have enabled netflow + insight.

Is this normal behaviour and should I really run a very expensive i7 hectacore with 32 GB of RAM or should the APU2D4 be able to track its traffic?

Cheers and thanks :)

Michiel

Hi,

Got some questions about the new beta which I am using (and very happy with :) ) :

- Can I easily upgrade to the 17 final when its ready from the current beta version?
- Is there an option to add scripts for dnsmasq adhost blocking? and keep it stored on the disk after an upgrade?
- Is there an easy way to enforce all outbound DNS requests (transparent) to the OPNsense box so I can enforce DNS in my network? Should I remove the automatic outbound rules and use the hybrid rules intead and create a new outbound NAT rule?

Thanks for any pointers :)

Michiel

Hi,

How can I install OPNsense 17.1 beta on an PCEngines APU 2 over SSH?
I can create an USB installation and boot from USB but what should I do next to install OPNsense over SSH?
Connect port 1 to LAN DHCP and connect to SSH (find out which DHCP lease OPNsense installer has with nmap) and then use which credentials?
I tried the documentation/wiki and reading the blog but could not find anything related except for the mention:
'installer now boots up with SSH for headless remote installation'

Any help is much appreciated :)

PS..I want to try to avoid using the console installation as it is a b!t(ch to run with the different speed settings etc.
I rather do it relaxed from my couch over SSH ;)

Cheers,

Michiel

Hi,

I want to store a bash script on the opnsense filesystem without it get overwritten after an upgrade.
It's a script that downloads an ads block list for unbound and stores it in /var/unbound/ads.conf and reloads unbound.

My question; how do I make the script and the ads.conf file persistent on the opnsense file system so it survives an upgrade.