Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - wfx3

#1
i need some help with initial setup of suricata 6.0.4 on opnsense 21.7.6 ..

Quote from: pankaj on September 11, 2021, 07:54:25 PM
For those wanting to get started with IDS/IPS, this is an excellent tutorial - https://www.youtube.com/watch?v=_yIq3GM4gjA&t=6s

is the youtube tutorial from last year now outdated? i tried:

Interfaces > Settings > Network Interfaces
hardware acceleration x3 turned off

Services > Intrusion Detection > Administration > Settings
enabled
IPS mode off so IDS will alert only
Interfaces > LAN only because Firewall > NAT > Outbound is Automatic

Administration > Download
enabled and downloaded/updated the test ruleset OPNsense-App-detect/test

Administration > Rules
7999999   alert   opnsense.test.rules   bad-unknown   OPNsense test eicar virus

Administration > Schedule
enabled default daily update

2021-12-02T19:50:48 suricata[27873] [100250] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
2021-12-02T19:50:48 suricata[26200] [100160] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode


$ curl http://pkg.opnsense.org/test/eicar.com.txt

but no luck getting the client download of eicar.com.txt to trigger an alert

Administration > Alerts
No results found!

so i tried adding a policy but still no luck

Services > Intrusion Detection > Policy
enabled
priority: 0
rulesets: opnsense.test.rules
action: alert
rules classtype: nothing selected
new acton: alert

#2
my first time working with android adb and i can't figure out why the LAN firewall rule to port 5555 is firing inconsistently.  the 2.220 host (tinkerboard) is behind a gateway (ddwrt).  any ideas why the second and third packets below would skip the rule entirely?


$ ifconfig | grep inet
inet 192.168.1.232 netmask 0xffffff00 broadcast 192.168.1.255
$ adb connect 192.168.2.220         
failed to connect to 192.168.2.220:5555
$ ping 192.168.2.220
PING 192.168.2.220 (192.168.2.220): 56 data bytes
64 bytes from 192.168.2.220: icmp_seq=0 ttl=63 time=10.513 ms
64 bytes from 192.168.2.220: icmp_seq=1 ttl=63 time=8.080 ms




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
__timestamp__11/18/18 17:55:5411/18/18 17:55:5411/18/18 17:55:53
ack190817746190817746
action[pass][block][block]
anchorname
datalen000
dir[in][in][in]
dst192.168.2.220192.168.2.220192.168.2.220
dstport555555555555
ecn
id005636
interfaceigb2igb2igb2
ipflagsDFDFnone
labelUSER_RULE: allow LAN to tinkerboardUSER_RULE: default block IPv4 LANUSER_RULE: default block IPv4 LAN
length644040
offset000
proto666
protonametcptcptcp
reasonmatchmatchmatch
ridentifier000
rulenr122124124
seq39013041843330648330
src192.168.1.232192.168.1.232192.168.1.232
srcport499654991049910
subrulenr
tcpflagsSRAA
tcpopts
tos0x00x00x0
ttl646464
urp6553520582058
version444
#3
General Discussion / firewall aliases in live view?
November 15, 2018, 02:13:24 PM
hello i think i remember reading about alias enhancements in one of the recent releases ..

is there some way to translate ip addresses back to aliases or local domain names in the Firewall: Log Files: Live View?

or can i set up remote logging to do this somehow?
#4
18.7 Legacy Series / openvpn client disconnects
September 29, 2018, 06:59:10 PM
hello i am trying to replace a ddwrt/atheros router with opnsense/esxi/x86.   to provide openvpn client to nordvpn.  i followed these pfsense configuration instructions (https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/) as closely as possible.  the openvpn client connects but then disconnects .. any advice what i can try?


compression: enabled without adaptive

advanced options:

vtls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
auth-retry nointeract;


Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client disconnected
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'status 2'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'state all'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Sep 29 12:44:31 openvpn[49048]: Initialization Sequence Completed



#5
hello is it possible to change the defaults (25, auto refresh) for the live view? thank you
#6
18.7 Legacy Series / openvpn vs ipsec ikev2
August 30, 2018, 12:10:03 AM
hello - i am planning a new build of 18.7 on a qotom-Q375G4  (Intel Core i7 5500U incl AES-NI, 8GB RAM).  for vpn client should i use openvpn or ipsec ikev2? will opnsense support one protocol better than the other?  which will provide better throughput?  thanks