Topics

1

Intrusion Detection and Prevention / IDS/IPS not currently detecting testmynids.org "Bad Certificate Authorities"?

« on: May 10, 2024, 09:22:36 pm »

Greetings fellow OPNsense enthusiasts!

I regularly use (daily, in fact) the testmynids.org script from 3CORESec to validate that my IDS/IPS detection and alerting pipeline (using OPNsense and Graylog) are working correctly.

Starting around 27 March 2024, the "Bad Certificate Authorities" (Option 4) started failing to be detected.

1) Does anyone else use testmynids to verify the proper configuration and operations of the IDS/IPS on their OPNsense?

2) Does anyone know if this is this a known issue with current Suricata rules?

3) Can anyone else replicate my experience (i.e., the non-detection of the bad certificate authorities) with their setup?

NOTE: I have had intermittent failures in the past where some of the testmynids tests failed for a day or two, but those seemed to fixed in short order after a new IDS/IPS signature download.  Nothing that's lasted this long - nearly two months!

2

23.1 Legacy Series / OpenVPN client on 23.1.7_3 missing gateway

« on: May 18, 2023, 09:31:01 pm »

I've got the firewall configured as an OpenVPN *client* to connect to an OpenVPN server that I can then selectively route traffic outbound through the firewall to.

This is working great on my 22.7.11_1 firewall.

But on the firewall that I upgraded to 23.1.7_3, the OpenVPN client doesn't seem to be getting a gateway address from the OpenVPN server like it should (and like my other one does).

I didn't see anything obviously related in the OpenVPN log files...

Any ideas?

3

Intrusion Detection and Prevention / Recommendation wanted: test event

« on: February 16, 2022, 08:41:25 pm »

Current set up:
o IDS/IPS (Suricata) is configured with "Enable eve syslog output."
o The firewall is configured to send syslog to a remote syslog server.
o The syslog server (Graylog in our case) is configured to email the admins when certain alerts meet certain conditions.

What I want to do:
o Setup up a cron job on a machine behind the firewall that occasionally does _something_ that triggers a Suricata alert that Graylog can match on to satisfy a "proof of life" condition.  If that condition is not met, Graylog can send an email to alert the admins that they may not be receiving IDS/IPS alerts like they are expecting.  (And/or have Graylog email the admins occasionally saying the condition is being met.)

So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

I'm open to feedback on further improving the whole system too if people have thoughts.  Thanks.

4

Virtual private networks / OpenVPN setting: Compression - No Preference

« on: October 18, 2021, 05:20:03 pm »

Can someone verify my understanding, please?  (I'm trying to implement mitigations against VORACLE attack.)

Setting "Compression" to "No Preference" actually *disables* compression in OpenVPN, correct?  I.e., it omits both the legacy "comp-lzo" and the newer-but-still-not-recommended "compress" options, right?

I wish the terminology used for this setting was a bit clearer, but apparently this is a complaint I should take up with OpenVPN not OPNsense  as it seems to be their definition.

JD17

5

Intrusion Detection and Prevention / ET Telemetry Edition having problems?

« on: September 10, 2021, 08:54:50 pm »

I am running 21.1.9, and I've had the ET Telemetry Edition working fine for several months.  But in the last couple of days, the Dashboard widget is just spinning when it is trying to get status from proofpoint.

When I look in the Intrusion Detection > Download tab, my Abuse.ch rule sets are downloading and updating fine.  Only the ET rule sets are not downloading on schedule.

At first I chalked this up to a temporary issue on proofpoint's side (and maybe it still is), but it's dragged on for a couple of days now and I though it was time to ask if any others are seeing this...

Thanks.

6

21.1 Legacy Series / Unbound views

« on: February 12, 2021, 09:10:16 pm »

Hello.

I am trying to resolve an issue that I am having with DNS resolution after I connect to the firewall via OpenVPN server:

OpenVPN server configuration:
  I supply a "DNS Default Domain" and "DNS Server," and have "Force DNS cache update" and "Prevent DNS leaks" selected.

After I successfully establish the VPN using the Viscosity client, when I try to connect to the firewall GUI using its DNS name, it stalls for a few seconds and then works for a few seconds.  After a few more seconds of working, it stalls again and then works again, and so on.

Wireshark shows me that my web browser's DNS query goes to the machine that I specified in my OpenVPN server "DNS Server" configuration (the firewall's own Unbound service), but the DNS response contains the entire list of IPs assigned to ALL of the interfaces on the firewall.  And, apparently?, depending on the order of the IP addresses in the response, the web browser tries to connect to TCP port 443 (the firewall GUI) using one of the IP addresses that is not authorized in the firewall rules associated with VPN interface.

Does that sound right?  I assumed Unbound would return the DNS response that corresponds to the interface from which the query came instead of every IP for every interface on the firewall.

Am I missing something in the current OPNsense GUI that would help me with this?

Otherwise, it sounds like Unbound supports something like this now called "views."  I don't think OPNsense supports these options in the current GUI.  Is that right?  If I want to purse this option, I guess I need to use the "Advanced" configurtation.

7

18.7 Legacy Series / 18.7.10 and Suricata

« on: January 21, 2019, 10:35:05 pm »

Hello.

Are there known issues with Suricata and OPNsense 18.7.10_3?  I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more.  Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any!  Seems hard to believe.

I have OPNsense configured to use it on a number of internal interfaces, but not WAN.  And I have chosen Hyperscan as the matching engine.  (I did try the default engine too, but that didn't seem to make a difference.)

I'm using http://testmyids.com to try to stimulate an alert.  This has worked in the past, but nothing happens after the upgrade.

Any ideas?

P.S.  I really love OPNsense.  I've been using it for a couple of years, and I recommend it to others.  Thanks for the great work!

8

17.7 Legacy Series / Meaning of letters in the Firewall Log Files "Proto" field

« on: September 26, 2017, 09:21:07 pm »

What does "TCP:SEC" mean in the Firewall Log Files "Proto" field?

I think the "S" means "Syn," but does "E" mean "ECE" and "C" mean "CWR"

OR

is it "S" and "EC" for "Syn" and "ECE"?

I have a lot of this kind of stuff in my Firewall Log files.  Is that normal?

[Edited to add]: Also, do I need to be creating rules to allow this type of traffic?  Or are simple rules to allow only "Syns" sufficient?

Thanks.

9

Documentation and Translation / Error in "Setup SSL VPN Road Warrior" How to?

« on: August 08, 2017, 08:31:23 pm »

I think there may be a typo in the "Setup SSL VPN Road Warrior" How to:

• Go to the second picture under "Step 2 - Firewall Rules"
• It shows "192.168.2.0/24" as the Source, but I think it should be "10.10.0.0/24" according to the network diagram at the beginning of the article

Either that or I completely don't understand the setup like I thought I did because I don't see "192.168.2.0/24" referenced anywhere else in the article.

Thank you for the write-up though!  I find the OPNsense How to's to be very high quality in general.

10

17.7 Legacy Series / Unbound vs. Dnsmasq

« on: August 02, 2017, 10:43:58 pm »

I noticed in the 17.7 release notes there is mention that Unbound is the new default DNS service.

I don't know enough about DNS or Unbound vs. Dnsmasq to understand the significance of that announcement.

Is Dnsmasq not as secure as Unbound?  Is it not as fully featured?  Does Unbound perform better?  Is Dnsmasq deprecated or scheduled for removal in the future?

If I'm using Dnsmasq now, should I switch?  Does the 17.1 -> 17.7 upgrade package do the switching for me?  Will it transfer my Dnsmasq configuration to Unbound?

Etc.

Thanks for the help!

11

16.7 Legacy Series / Which FW process is associated with which outbound connection

« on: March 14, 2017, 04:22:35 pm »

Does anyone know of a reason why the *FW* might be making connections to the following Twitter-controlled IPs:
104.244.42.194 and 104.244.42.2 on port 443?  It is happening pretty much constantly...

Is there a command I can run on the FW that will link those outbound connections to a process?  lsof doesn't seem to be present and I can't figure out the right netstat command to do it...

If the FW is somehow participating in a DDoS, I want to know!