Topics

1

Intrusion Detection and Prevention / What is box for... IPS-Admin-settings-home networks box?

« on: November 21, 2024, 07:55:28 pm »

Am I misusing this box
I put in my IP in DHCP mode and the rules work
Anyone know its function

2

Intrusion Detection and Prevention / How to set IP for rules working

« on: November 21, 2024, 07:50:23 pm »

IF in static mode , place your static IP under interfaces
If in DHCP, several things
Place your IP in Intrusion Detection > Administration > Settings > Home Networks box
Keep your settings under interfaces as DHCP
Put your non static IP or range in the box
Behind a router can be a specific IP or range
If not behind a router can put your IP in the box
If you have a DHCP range, can put the range in the box
testing this and the rules are working without modifications
thanks
will test some more
what is that box for if anyone knows
To me it doesnt match its desciption

3

Intrusion Detection and Prevention / If in IPS mode some of your sites may soon get blocked

« on: November 21, 2024, 12:46:04 am »

Opnsense rulesets have started working
ET rulesets have not
They are working on it
When ET rulesets start working some of your favorite sites may be blocked
Many sites are blocked by rules, for instance
sid 2013504 will stop you from doing Ubuntu updates
sid 2100366 will stop you from doing any ping
There are social media blocking rules
If you use Kali linux you will get blocked
So
Before this happens in an upcoming update,
I just checked they are not working yet
Go to services > intrusion detection > administration > rules
In the search box type in facebook and you will see the rules
If thats a site you use you can disable them now, before the update
Find blocked sites by typing in their name or IP
Can also type their IP in alerts search box if they get blocked to find the rule blocking them
Can find an IP by googling it or on command line using $host google.com
it will give you some of googles IPs
they have many, just an example

They fixed opnsense rules very fast
Thing with ET rules is they are downloaded in a strict format to work with different parties and not just opnsense
I dont think opnsense wants to change them every update
So it may take some modification of suricata, or a program in opnsense to make them work
They are working on it
So I am letting you know before you get some sites blocked after a update
Which update I dont know
But now you are aware and know your system did not break, just check your rules

4

General Discussion / Rsync and Snapshot and Backup request

« on: November 18, 2024, 10:37:13 pm »

Security measure
First, the suricata yaml has a mrror embedded in opnsense so that it cant be changed
It will rewrite itself on boot

Question, can we implement something like that for the rest of the file system
Not just data, like a read only persistant raid for files that dont change

Either like a raid that checks and rewrites on boot
Or whatever it is the suricata yaml is doing

Linux mint has rync and snapshot to copy all files and store them
If they get to the boot files the snapshot is no good
But I like the idea

Also that rewrites directories like boot that have changed or if thats if 
another file was put in there, and erase links to another file somewhere else
Its like putting it in the boot directory but hidden

I have tried the opnsense default reset, without success one instance
And the configuration saved settings is ok but doesnt help the files including boot

FreeBsd has rsync and snapshot but havnt tried putting it on opnsense yet
It wont matter if they get to the boot up files

Yes I know it will increase memory required,
I think it would be worth it, or an option
Hardened security
thanks

5

Development and Code Review / Wazuh working on LM22 with opnsense

« on: November 12, 2024, 01:46:43 am »

Ive gotten wazuh siem server working on Linux Mint 22 on a box and opnsense as an agent on another box
On the server which is LM22 I did an update and installed JDK via synaptic, which was 4 or 5 files
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Takes a while maybe 30 minutes to download and install everything
 Note:Put lan ip in browser and wazuh server page should come up, mine doesnt
I have to manually start wazuh-indexer and wait a couple minutes then open browser and it works
From command line I run sudo systemctl start wazuh-indexer
Then wazuh server page appears
Then open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents     this will create a new agent
Type A for add and enter hostname of opnsense router and its IP; then quit
then run command again and type L for LIst
Then type I to get a key for that agent, copy and save it, then exit

Next on the opnsense box I install wazuh agent from plugins
reboot and enable wazuh-agent, set manager hostname...IP of wazuh server on lan, which is lan address
authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
Then ssh into opnsense and go to /var/ossec/bin
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot

remember to open tcp ports 1515 and 1514 on both the server box and opnsense box
Reboot operating system or use systemctl to shutdown server first then power down
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard
sudo systemctl stop wazuh-server

 Power uo the indexer and open gui dashboard which is lan IP in the top browser window
Give it time to connect for the first time, mine I let it run overnight with the server and opnsense connected
But not the internet
It is ingesting the current logs from the first time it connected to opnsense
all alerts blocks, its tracking all files on opnsense and server
checks for rootkits, does shasum on both systems
it does a lot

6

Intrusion Detection and Prevention / Who would you submit new rules and blocklists to

« on: November 01, 2024, 03:41:07 am »

Most of the rules are old, like three ET rulesets are a month old,
mostly blocklists, including 3core and threatview
They all have a ET email address to respond
But does anyone have any experience with this,
how long is there turnaround to get new rules out
I have seen some posts where the new rules go to pro
and then a long time after go to community rulesets
I dont know and it may be heresay
Look how old most of the rulesets are.... 2019
Another question
Does opnsense accept rules and blocklists from the community
To be put into their rulesets and out on the next update

7

General Discussion / How do you get eve.json from router to computer for evebox

« on: October 17, 2024, 11:57:04 pm »

I install evebox on the computer
Command line
evebox server -D . --datastore sqlite --input /var/log/eve.json
How do I get the eve.json file from the router
I go to localhost:5636/#/inbox and evebox is working in browser
How do I get the eve.json export feed from suricata
I know thats not the location of the eve,json file, its just example

8

Intrusion Detection and Prevention / How I test IPS engine blocking

« on: October 15, 2024, 02:45:25 am »

How I test suricata engine rule drop
Go to Services-Intrusion Detection-Administration-User Defined
Click the plus button to make a rule
Enter 8.8.8.8 in Destination Ip
Set to drop, description Dest8.8.8.8 and save
Click make rule again
Enter 8.8.8.8 in Source ip
Set to drop, description source8.8.8.8 and save
Click apply and wait 5 minutes
Open a command terminal and enter ping 8.8.8.8 and press enter
Wait 5 seconds and press cntl c to stop
Go to alerts and the log file with box set to informational
You will see it blocked 8.8.8.8 as the destination
It never left the wan
Delete Dest8.8.8.8 rule, click apply, wait 5 minutes
Ping 8.8.8.8 again for 5 seconds and press cntl c to stop
Check alerts tab and the log file with informational box set
You will see it blocked source 8.8.8.8
Delete source 8.8.8.8 rule click aplly wait 5 minutes
You are back to normal
If you downloaded the opnsense.rules file
The rules would look like this
alert ip   8.8.8.8  any ->  any  any (msg:"8.8.8.8_source";  sid:4294967294; rev:1;)
alert ip   any  any ->  8.8.8.8  any (msg:"8.8.8.8_Dest";  sid:4294967293; rev:1;)
Notice it says any any and not $HOME_NET, not $EXTERNAL_NET
The first any is for IP, second is for port
I have a policy running to set all alerts to drop
Thats why it was blocked and because IPS is enabled
IF only IDS is enabled it would just give alerts
Thanks

Or can enter the rules in opnsense.test.rules manually
I put all my rules here because they will not be rewritten on reboot
And I save a copy to use on next installation

9

General Discussion / IPBlocklists Not Working - Solved Need Opnsense help

« on: October 11, 2024, 02:29:13 am »

IPBlocklists and large amounts of rules are not working
Maybe 70 percent are not functioning
Problem, no access to suricata yaml to program $HOME_NET and $EXTERNAL_NET in the rules
Unless there is something I am missing
Fix ... replace $HOMENET and EXTERNAL_NET manually in the rules
Change these to .... any
IPBlocklists start working
Spamhaus rules start working
Abuse rules start working
Warning, doing this all at once, I could not get back on the net
will have to figure that one out nextI had packets coming and going,
Thats how I saw all these rules start working, I get about 100 threats in ten minutes
But I couldnt go anywhere in the browser
Do not do this unless you know how, and are willing to reload many times
Untill we can get opnsense to come up with a fix
Abuse rules has over 70.000 rules in that one file
So I used search and replace
From this example
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:" Known malware download URL detected; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/,relative; metadata:created_at 2024_09_30; reference/; classtype:trojan-activity;sid:********; rev:1;)

To this
alert http any any -> any any (msg:" Known malware download URL detected; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/,relative; metadata:created_at 2024_09_30; reference:; classtype:trojan-activity;sid:*******; rev:1;)

Not a complete real rule, just an example
My home made block lists started working also and many of the hits were in some of the other threat rules already
I had some IPs blocked by six rules, four were mine not checking for duplicates yet

10

General Discussion / I am having trouble with my DNS and NTP settings getting bypassed

« on: October 09, 2024, 04:12:18 am »

Anyone know a way to hold your preferences in opnsense
Probably the way I have something set
Using unbound I entered google 8.8.8.8 as DNS, it works a couple times then gets over ridden
Same with the NTP servers would not stay on opnsense servers
Any way to beef up the security of those, thanks

11

General Discussion / How do we change the default firewall rules

« on: October 09, 2024, 03:40:23 am »

I cant figure out how to edit the default firewall rules. It used to be the button, or control and button, something like that

12

General Discussion / Why are opnsense NTP servers sending queries

« on: October 06, 2024, 08:08:07 pm »

I am getting sent multiple queries from opnsense NTP servers, not NTP, any ideas what thats about?
Like 5 to 10 every few minutes

13

General Discussion / Country block

« on: October 06, 2024, 07:26:44 pm »

I read in opnsense docs it had country block, has anyone seen that?

14

General Discussion / how do you get Ublox GPS working

« on: October 06, 2024, 07:23:42 pm »

Ublox isnt recognised and I cant seem to get it started, opnsense doesnt talk to it
yes its recognised in dmesg
any ideas?

15

General Discussion / NTP controls do not work

« on: October 06, 2024, 07:20:55 pm »

The controls under NTP do not work
1. With only one ntp server checked and the others disabled I get twenty ntp queries every 5 to 10 seconds
2. With checking ntp check the network time once, doesnt change anything
If NTP stopped altogether the system will not startup, other words we cannot enter our own time to start the system
Opnsense would not accept system time
3. Far to much bandwidth for NTP
average 10 hits a second
not counting why are opnsense ntp servers sending a querie to my computer which is not ntp related
4. Ntp servers are queried which is not in an opnsense pool
5. I do not need a pool of servers