Topics

1

Intrusion Detection and Prevention / Suricata rule modifications via suricata-update

« on: November 20, 2024, 09:03:42 am »

Goal:
To modify specific SIDs using suricata-update's "--modify" option

To do this we need suricata-update, and it is already installed w/Suricata! ^_^ Nice!!

Now, it has a lot of flags/options, and OPNSense's Suricata installation is a bit unique, so, after a bit of discovery I think I've resolve this to be the most accurate form of the command:

Code: [Select]

suricata-update --suricata-conf /usr/local/etc/suricata/suricata.yaml --suricata /usr/local/bin/suricata --data-dir /usr/local/etc/suricata --no-merge --modify-conf=/root/suricata/modify.conf --output /usr/local/etc/suricata/rules --no-test --no-reload --offline
This appears to update/replace files in the /usr/local/suricata/rules folder, but, it does not make a sid map file in the same format (v1 and v2 both look different than the one OPNSense sets up) and OPNSense already does things for IDS Rules in a two different main fashions...

The two fashions are defined in this file:

Code: [Select]

/usr/local/opnsense/service/conf/actions.d/actions_ids.conf
In it are the update and reload details and a few other actions. The update (update) and reload (install) scrips are as such:

Rule Updater by OPNSense

Code: [Select]

/usr/local/opnsense/scripts/suricata/rule-updater.py( gets updated rules from the internet, puts them in /usr/local/etc/suricata/rules )

Rule Installer by OPNSense

Code: [Select]

/usr/local/opnsense/scripts/suricata/installRules.py( gets rules from /usr/local/etc/suricata/rules, and appears to copy/mod them to /usr/local/etc/suricata/opnsense.rules and then makes /usr/local/etc/suricata/installed_rules.yaml - it seems to also make an SQLite file for the SIDs )

What I'm not sure about is, what might break if I get in the mix here, and...

• Disable OPNSense's Update & Reload (Install) Cron routines
• Setup new Cron Scripts in /usr/local/opnsense/service/conf/actions.d with 'Descriptions' so I can Cron them
• Have these scripts run the suricata-update with the correct flags, and create the expected merged file?

2

General Discussion / Cannot match API getRule state to Firewall Rule in GUI

« on: August 13, 2024, 11:40:03 pm »

In my Syslog output, it seems filterlog/firewall applied a simple numeric to the 'rule' and 'subrule' elements

In the API output, each rule has a UUID and I get them at

Code: [Select]

/diagnostics/firewall/listRuleIds then query the rule's elements at

Code: [Select]

/firewall/filter/getRule?{UUID} and for the output below I've summarized the output as it doesn't seem like the rule data matches what is in the GUI for OPNSense? These are some of the default rules, but, their data all says Pass and that does not make sense to me as the first four are block rules.

Code: [Select]

3c2cd03c70091e3732710e44c3b97506 named Block bogon IPv4 networks from WAN is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
57401c13616c94401fc89cafa777581e named Block bogon IPv6 networks from WAN is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
1072878c6245b52440bc89c6107a9d0a named Block private networks from WAN is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
dcde0621a9f0daa594b014e15f65c076 named Block private networks from WAN is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
5ddcbf1f0688962629f1a2166ba2ab0c named CARP defaults is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
846c09139ef5484c01967052b15e454a named CARP defaults is...
['action pass Pass',
 'direction in In',
 'ipprotocol inet IPv4',
 'protocol any any',
 'gateway  None']
In the end, I am after a method to match the rule+subrule to a UUID, so that I can label my rules in my Syslog output/Kibana so that it shows the firewall histogram w/Rule naming context?

3

24.1 Legacy Series / Upgrade to 24.1.2 appears to be downloading a massive base-24.1.2.txz

« on: February 20, 2024, 04:44:10 pm »

Just making sure things are going as expected...

Earlier this showed the expected changes:

Code: [Select]

Checking integrity... done (1 conflicting)
  - suricata-7.0.3 conflicts with suricata-stable-6.0.15 on /usr/local/bin/suricata
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 25 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
suricata-stable: 6.0.15

New packages to be INSTALLED:
suricata: 7.0.3

Installed packages to be UPGRADED:
boost-libs: 1.83.0_1 -> 1.84.0
clamav: 1.2.1_2,1 -> 1.3.0,1
crowdsec: 1.6.0 -> 1.6.0_1
crowdsec-firewall-bouncer: 0.0.28_2 -> 0.0.28_3
dnscrypt-proxy2: 2.0.45 -> 2.1.5_3
dnsmasq: 2.89_1,1 -> 2.90,1
kea: 2.4.1 -> 2.4.1_1
libidn2: 2.3.4_2 -> 2.3.7
libnghttp2: 1.58.0 -> 1.59.0
libucl: 0.8.2_1 -> 0.9.0
openvpn: 2.6.8_2 -> 2.6.9
opnsense: 24.1.1 -> 24.1.2
opnsense-update: 24.1 -> 24.1.2
os-dnscrypt-proxy: 1.14_1 -> 1.15
os-intrusion-detection-content-et-open: 1.0.2_1 -> 1.0.2_2
php82-phalcon: 5.3.1 -> 5.6.1
py39-pytz: 2023.3,1 -> 2024.1,1
py39-tzdata: 2023.4 -> 2024.1
radvd: 2.19_2 -> 2.19_3
sudo: 1.9.15p5_3 -> 1.9.15p5_4
telegraf: 1.29.4 -> 1.29.4_1
unbound: 1.19.0_1 -> 1.19.1

Installed packages to be REINSTALLED:
pkg-1.19.2_1

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be upgraded: 22
Number of packages to be reinstalled: 1
How big is this / how long does this step take?

Code: [Select]

Fetching base-24.1.2-amd64.txz: ..............................................
It has been about 30 minutes or so on a 1 GB Fiber connection and the dots/pips keep showing up lol, just want to know I'm not caught in a loop, again, thank you for making such a powerful and useful tool/product!!

4

Intrusion Detection and Prevention / How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)

« on: February 02, 2024, 06:40:54 pm »

Looking to enable additional Suricata IDS Rules / SIDs? Just wrote a how-to w/screenshots, here we go!

TLDR;
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/

The how-to is a bit long, but outlined are three policy rules that once enabled allow a much wider/deeper view of the network traffic being inspected.

This will raise your CPU utilization, and if you do not add the third Policy, and disable a select few SIDs, can cause quite a bit of event/alert explosion as a few of the DNS/TLS/SNI rules fire each DNS resolution/TLS connection.

The guide starts by broadly enabling (first 2 policies), and then disabling (third policy) whole matching groups of rules based on the SID/rule meta. Thank you OPNSense, realized the population of each meta and then was able to focus on what to use to enable with minimal Policies.

Last section in the guide is where you will be individually disabling 20+ rules/SIDs which should not negatively impact your OPNSense router, we are keeping the individual rule mods in low populations.

Here's a first step before you even read the whole guide (you will likely want to have your OPNSense with a working internet connection to get through this guide and be able to get this initial step out of the way):


Please feel free to suggest modifications, or share your experience here.
Looking to learn more, but share what's being explored!

5

24.1 Legacy Series / CrowdSec 1.6.0 has been released, with 24.1 it appears we are still at 1.5.5

« on: January 31, 2024, 09:47:18 pm »

Was curious about update availability to CrowdSec 1.6.0?

I am running a Multi-Server setup with the OPNSense being the main LAPI with an external Postgres DB, it all is still working post upgrade to 24.1 but, all the other parsers in the Multi-Server setup are 1.6.0 and OPNSense is still running 1.5.5.

Thank you again Community and OPNSense Team <3

6

24.1 Legacy Series / Suricata 7 instead of Suricata 6 and no af-packet support?

« on: January 31, 2024, 06:07:27 am »

It appears we should be working to tune the "netmap" back-end/feature instead of "af-packet" for Suricata 7. There are options enabling it for eth0 all the same even in the conf file for Suricata 7 in OPNSense 24.1.

It seems I remember that Suricata 6 was compiled with 'af-packet', but Suricata 7 was not - can anyone verify this?

Was also curious about how difficult it would be for someone to compile Suricata 7 themselves and add features to it (examples: nDPI 3.4+, PF_Ring 7.8+, Luijit, Redis, GeoIP, eBPF, Profiling) and then install that to the OPNSense?

Overall curious about the decision and if OPNSense is compiling their own Suricata, and the possible future of doing pulled-pork/oinkmaster, or its modern Suricata-Update and the ability to maintain per rule modifications (set $EXTERNAL instead of $ANY for specific rules/SIDs, and other mods/updates).

Note: been upgrading from around 18 or so, 24.1 seemed to upgrade without an issue, and all traffic appears to be going as expected. Great work guys!! Just looking to know my unknowns! <3

7

23.7 Legacy Series / DHCP Dynamic DNS update to external BIND 9.18

« on: January 18, 2024, 08:45:42 pm »

The OPNSense dhcpd produces this error when configured to update to an external BIND 9.18:

Code: [Select]

Unable to add reverse map from 10.1.168.192.in-addr.arpa. to host02.localnetdomain.home: NOTIMPThe other Subnet (10.10.0.0/16) has no problem updating its Reverse DNS/PTR records

BIND 9.18 produces the following output, showing that the OPNSense did a 2nd type of update run if you will, where the OPNSense deletes, and then adds it back with the new DHCP Lease Token/Key:

Code: [Select]

18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: signer "opnsensedhcp" approved
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: updating zone 'localnetdomain.home/IN': update unsuccessful: host02.localnetdomain.home: 'name not in use' prerequisite not satisfied (YXDOMAIN)
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: signer "opnsensedhcp" approved
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: updating zone 'localnetdomain.home/IN': deleting rrset at 'host02.localnetdomain.home' TXT
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: updating zone 'localnetdomain.home/IN': adding an RR at 'host02.localnetdomain.home' TXT "348b58c0d6248dc90762834bf6540b121a"
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: updating zone 'localnetdomain.home/IN': deleting rrset at 'host02.localnetdomain.home' A
18-Jan-2024 13:26:31.718 client @0x0db29810a378 192.168.1.1#53080/key opnsensedhcp: updating zone 'localnetdomain.home/IN': adding an RR at 'host02.localnetdomain.home' A 192.168.1.10
It does complete its task correctly, the A+TXT get Updated, it appears the Reverse DNS record is not.

The error is about the inability to update the Reverse PTR record for the FQDN to the IP. The OPNSense doesn't appear to attempt to remove it first, or, is there more to the allowing DHCP Reverse DNS / PTR between OPNSense and an external BIND?

Instead of putting (? really just learning about BIND here ?) the Reverse Records/PTR in the 'localnetdomain.home' Zone, I put it in a '1.168.192.in-addr.arpa.' Zone, could that be part of the issue and how should I go about resolving it? I've also tried to just have a '168.192.in-addr.arpa.' Zone in addition to the '10.10.in-addr.arpa.' Zone that I have. Interestingly, the 10.10/16 subnet has no problem updating. Maybe I should just finish migration over to 10.10?

It would seem others would want to set it up that way too, but again, I'm only learning about DNS/BIND in greater detail recently. Thank you again for making/developing/releasing OPNSense everyone!!

8

23.7 Legacy Series / If having trouble using UPnP, not seeing Console "Open" after the guides?

« on: December 15, 2023, 06:51:46 pm »

Recently found out that mDNS uses 5353 in the Multicast network subnet space, so...

Added some FW rules for:

224.0.0.0/4
ff00::/8

- and -

The appropriate LAN networks, IMPORTANT --> Ahead of the custom 5353 redirection to a local DNS+ stack...

Voila, UPnP works as expected - and yes you must follow guides and create the Outbound NAT rules and IP/subnet set for the devices you want UPnP to use and the ranges set in the UPnP settings.

Hope this helps someone out that has been wondering why UPnP/Multicast/Broadcast hasn't been working and they might have had some extra rules in the mix they didn't realize/remember would be a conflict.

9

Intrusion Detection and Prevention / Enable Suricata fast.log to better enable CrowdSec integration

« on: December 14, 2023, 07:04:39 pm »

To get your Suricata logs to be parsed by CrowdSec, specifically enable the fast.log as it has just what CrowdSec needs and no difficult parsing issues

You will need to change a few things:

1.
Enable fast.log output in /usr/local/etc/suricata/suricata.yaml:
https://github.com/opnsense/core/issues/7083

2.
Add log rotation for /var/log/suricata/fast.log
https://github.com/opnsense/core/commit/128756bd1c148b0d917fa1cad2f649b66f24f8e5#commitcomment-135018139

3.
Add the /usr/local/etc/crowdsec/acquis.d/suricata.yaml file and set to include ONLY fast.log (you do not want eve.json, that would be duplicate alerts/decisions and CrowdSec has some difficulty with the 'printable_payload' that we love seeing in ELK):
https://github.com/opnsense/plugins/commit/b465377760dde6cd23e8976bda54d087b572ae4c#commitcomment-135019889

Hope this helps everyone out! ^_^

10

23.7 Legacy Series / Mirror ZFS showing intermitant WRITE_FPDMA_QUEUED CAM status: Uncorrectable pari

« on: October 24, 2023, 11:02:13 pm »

The error will pop up from time to time, more often when I was using the RAM to map /var/log which I found odd. It will seem to have to do with the pressure or write/backup load the router/OS is going through.

WRITE_FPDMA_QUEUED CAM status: Uncorrectable parity/CRC error

It will mention three retries. It appears to resolve on its own, but appears alarming all the same.

In short, I found this post about how to handle issues like this in FreeBSD and wanted to check with the group, have you seen this error, and if so, does this solve it for you (too? - still testing) or did you find another way to resolve the oddity.

Thread about CAM status errors in FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229745#c59

The initial try for my setup was to issue these commands, note, my 'tags' were previously 32:

Code: [Select]

camcontrol tags ada0 -N 25
camcontrol tags ada1 -N 25
The hardware is only slightly old:
ASRock 970 Extreme3 R2.0 with AMD FX-8320E Eight-Core Processor, AMD graphics, 4 memory modules (4 x Crucial BLS8G3D18ADS3.16FE 8GB), 2 drives (2 x Samsung SSD 870 EVO 500GB)

Any feedback is welcome, I am new to FreeBSD (Gentoo->RHEL->Ubuntu->Manjaro->FreeBSD) and quite new to ZFS.