Topics

1

Intrusion Detection and Prevention / suricata initial setup/test

« on: December 03, 2021, 02:04:37 am »

i need some help with initial setup of suricata 6.0.4 on opnsense 21.7.6 ..

For those wanting to get started with IDS/IPS, this is an excellent tutorial - https://www.youtube.com/watch?v=_yIq3GM4gjA&t=6s

is the youtube tutorial from last year now outdated? i tried:

Interfaces > Settings > Network Interfaces
hardware acceleration x3 turned off

Services > Intrusion Detection > Administration > Settings
enabled
IPS mode off so IDS will alert only
Interfaces > LAN only because Firewall > NAT > Outbound is Automatic

Administration > Download
enabled and downloaded/updated the test ruleset OPNsense-App-detect/test

Administration > Rules
7999999   alert   opnsense.test.rules   bad-unknown   OPNsense test eicar virus

Administration > Schedule
enabled default daily update

Code: [Select]

2021-12-02T19:50:48 suricata[27873] [100250] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
2021-12-02T19:50:48 suricata[26200] [100160] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode

Code: [Select]

$ curl http://pkg.opnsense.org/test/eicar.com.txt
but no luck getting the client download of eicar.com.txt to trigger an alert

Administration > Alerts
No results found!

so i tried adding a policy but still no luck

Services > Intrusion Detection > Policy
enabled
priority: 0
rulesets: opnsense.test.rules
action: alert
rules classtype: nothing selected
new acton: alert

2

18.7 Legacy Series / android adb rules firing inconsistently

« on: November 19, 2018, 12:29:53 am »

my first time working with android adb and i can't figure out why the LAN firewall rule to port 5555 is firing inconsistently.  the 2.220 host (tinkerboard) is behind a gateway (ddwrt).  any ideas why the second and third packets below would skip the rule entirely?

Code: [Select]

$ ifconfig | grep inet
inet 192.168.1.232 netmask 0xffffff00 broadcast 192.168.1.255
$ adb connect 192.168.2.220         
failed to connect to 192.168.2.220:5555
$ ping 192.168.2.220
PING 192.168.2.220 (192.168.2.220): 56 data bytes
64 bytes from 192.168.2.220: icmp_seq=0 ttl=63 time=10.513 ms
64 bytes from 192.168.2.220: icmp_seq=1 ttl=63 time=8.080 ms


__timestamp__	11/18/18 17:55:54	11/18/18 17:55:54	11/18/18 17:55:53
ack		190817746	190817746
action	[pass]	[block]	[block]
anchorname
datalen	0	0	0
dir	[in]	[in]	[in]
dst	192.168.2.220	192.168.2.220	192.168.2.220
dstport	5555	5555	5555
ecn
id	0	0	5636
interface	igb2	igb2	igb2
ipflags	DF	DF	none
label	USER_RULE: allow LAN to tinkerboard	USER_RULE: default block IPv4 LAN	USER_RULE: default block IPv4 LAN
length	64	40	40
offset	0	0	0
proto	6	6	6
protoname	tcp	tcp	tcp
reason	match	match	match
ridentifier	0	0	0
rulenr	122	124	124
seq	3901304184	3330648330
src	192.168.1.232	192.168.1.232	192.168.1.232
srcport	49965	49910	49910
subrulenr
tcpflags	S	RA	A
tcpopts
tos	0x0	0x0	0x0
ttl	64	64	64
urp	65535	2058	2058
version	4	4	4

3

General Discussion / firewall aliases in live view?

« on: November 15, 2018, 02:13:24 pm »

hello i think i remember reading about alias enhancements in one of the recent releases ..

is there some way to translate ip addresses back to aliases or local domain names in the Firewall: Log Files: Live View?

or can i set up remote logging to do this somehow?

4

18.7 Legacy Series / openvpn client disconnects

« on: September 29, 2018, 06:59:10 pm »

hello i am trying to replace a ddwrt/atheros router with opnsense/esxi/x86.   to provide openvpn client to nordvpn.  i followed these pfsense configuration instructions (https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/) as closely as possible.  the openvpn client connects but then disconnects .. any advice what i can try?


compression: enabled without adaptive

advanced options:

Code: [Select]

vtls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
auth-retry nointeract;


Code: [Select]

Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client disconnected
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'status 2'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'state all'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Sep 29 12:44:31 openvpn[49048]: Initialization Sequence Completed

 

5

General Discussion / [SOLVED] Firewall: Log Files: Live View

« on: September 10, 2018, 03:45:21 pm »

hello is it possible to change the defaults (25, auto refresh) for the live view? thank you

6

18.7 Legacy Series / openvpn vs ipsec ikev2

« on: August 30, 2018, 12:10:03 am »

hello - i am planning a new build of 18.7 on a qotom-Q375G4  (Intel Core i7 5500U incl AES-NI, 8GB RAM).  for vpn client should i use openvpn or ipsec ikev2? will opnsense support one protocol better than the other?  which will provide better throughput?  thanks