Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - t00r

Pages: [1] 2

German - Deutsch / Re: eMail wenn PPPoe Fehler / Down / SSL-Zertifikat per Script hochladen

« on: December 21, 2018, 01:06:21 pm »

Quote from: rcmcronny on December 21, 2018, 09:12:40 am

1. Wenn die PPPoE Session down ist oder einen Fehler hat, kommt keine Info, ich finde auch nichts, wo ich sagen könnte: Schick ne Mail o.ä. Wie macht Ihr das ?
Ich könnte auch per API von extern den Status bestimmt abfragen und dann agieren, wenn jemand hier einen Einsprungspunkt für mich hat, wie ich an die Infos komme.

Hätte ich auch gerne eine Lösung dafür!

Ich habe mir mit dem Service "Monit" geholfen, da bekomme ich eine Mail, wenn der Ping auf 8.8.8.8 fehlschlägt (s. Screenshot).
Damit weiß ich wenigstens, dass eine Unterbrechung war.
Würde aber auch gerne immer eine Mail erhalten, die mir die aktuelle WAN-IP der PPPoE-Verbindung zeigt (so wie bei der FritzBox).

18.7 Legacy Series / Re: TOR: is it possible to use tor router only for blocked resources?

« on: December 21, 2018, 12:33:21 pm »

Quote from: mrpsycho on December 21, 2018, 10:08:15 am

so, am i getting right, so there is no way to bypass TOR for services, that are blocked by government?

Hi,

I have the same problem, but with some sites that block Tor like Google (Recaptcha madness!).

Thats my solution:

I use the OPNsense Tor Plug-in as SOCKS Proxy, too.
Its really fast, faster than the Tor Browser itself.

I use it only with my Mozilla Firefox Browser (short: FF).

In FF I use this Plug-In: "FoxyProxy"
In FoxyProxy you can define the OPNSense TOR Socks Proxy and define Bypass Domains/URLs (called "Black" Patterns).
Works really good!
Here some screenshots of the FoxyProxy Plug-in configuration:

German - Deutsch / Re: Überlegungen eines Wechsels von pfsense

« on: December 20, 2018, 01:11:28 pm »

Quote from: JeGr on December 13, 2018, 01:58:22 pm

...
Ansonsten würde mich wie Dirk interessieren, was man sich von Surricata/Snort im Heimbetrieb mit WAN/LAN großartig erhofft. Verstehe es einfach nicht, was da "schützenswert" ist, wenn keine eingehenden Verbindungen erlaubt sind. Wenn ich selbst Dienste (Webserver o.ä.) anbiete, alles nachvollziehbar - auch wenn man selbst dann noch andere Karten ausspielen kann - aber im Heimbetrieb wo ich ggf. mal VPN offen habe und ansonsten outgoing traffic habe? Was will ich da mit IDS/IPS? Würde mich gerne über Feedback freuen.
Gruß

Bspw. werden bei mir so Sachen bemerkt/geblockt wie:

Code: [Select]

LAN outbound: 

# Ein Windows 10 Rechner:
[Drop] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [Classification: Misc activity] [Priority: 3] {TCP} 
# Mein Samsung Smart TV: 
[1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 52.221.74.15:443 -> 192.168.30.100:37451 

WAN inbound: 

[Drop] [1:2023753:2] ET SCAN MS Terminal Server Traffic on Non-standard Port [Classification: Attempted Information Leak] [Priority: 2] {TCP} 
# NTP-Reflection Attacks: https://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks 
[Drop] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [Classification: Attempted Denial of Service] [Priority: 2] {UDP}

Also, da geht schon einiges!

Ich mache das dann so, dass ich mir eine Alias Network List erstellt habe, in der ich die auffälligen Netzwerke über die Firewall dann sperre (die bekomme ich über https://bgp.he.net/ raus). Und Ruhe ist :-).

19.1 Legacy Series / Re: ips/ids suricata Solved

« on: December 08, 2018, 10:02:26 am »

Quote from: GDixon on December 03, 2018, 07:52:45 am

...
Which is best policy? Monitor the Wan? Monitor the Lan? Or choose both Wan and Lan to monitor?

Try it out! :-)
Enable both (LAN/WAN) and monitor it, then you see whats going on...

19.1 Legacy Series / Re: ips/ids suricata

« on: December 02, 2018, 07:23:45 am »

Quote from: GDixon on December 01, 2018, 05:42:16 pm

I have new errors lol different than before and no alerts show up yet.

I'm going to remove surica, restore a good config and start over with surica.

Good idea, never seen this errors before.

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 05:19:31 pm »

Quote from: GDixon on December 01, 2018, 05:14:08 pm

Doh

Dont worry!
When you want to test it out, download kali linux in a virtual machine and run some enumeration tools against the firewall itself or another (test) target. Before testing enable suricata at the LAN interface, to detect this.

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 05:10:50 pm »

Quote from: GDixon on December 01, 2018, 12:52:59 pm

Yes I found the second place to either drop or alert the rules. There's over 16,000!

How in the heck do you enable them all ? There has to be a quick way to do so with out scrolling through them all I hope.

And I still didn't download/enable all the ET rules hmmmmm

Oh, sorry for the misunderstooding, I neverever enable them all (to alert)! :-)
In fact I enabled some of them manually over the GUI as described above.

I mean to know (no proof) that the maintainer of these rulesets enable the signatures that are important (from their view).

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 12:14:01 pm »

Quote from: GDixon on December 01, 2018, 11:53:48 am

...
All of them? I only did 5 to see how it works and so far I have yet to have anything show up in alerts.

CPU usuage is still minimal, memory usage did go up and the load avg went up very slightly so I think I'll load a few at a time and go from that.

Yes atm I have all of them enabled (exception all abuse.ch rulesets). CPU load is 28-31% with that with my hardware.

Quote

Ah ha, I have things set to drop. So you need something set to alert for it to show in the gui?

So the alerts tab is more for testing to see what rules are messing up and son't really need to be dropped?

Thats a good question!
In the "download" tab you can only enable the complete rulesets, then this ruleset is alerting. In the ruleset itself you can set them only to "None" or "Drop" and "None" means its alerting.

BUT: In the ruleset itself some or somtimes many of the signatures are not enabled.
In the "Rule" tab you can fine-tune the signatures: Disable completly, enable Alert or set to Drop.

You can see this when you search in the "Rule" tab for "trojan" (when you have enabled "emerging-trojan.rules". Some are enabled, some not.

And i see "eicar" is not enabled or it has the class-type "bad-unknown".
I assume class-type means here the status of the IPS-signature and bad is not so good :-)

I disabled in the last weeks/months myself some of the the signatures because they alerting about harmless events to reduce the noise of suricata.
I think the best is to surf and work as always and look from time to time in the logs to get a feeling for the whole thing :-).

German - Deutsch / Re: PI-Hole

« on: December 01, 2018, 11:56:59 am »

Schau mal in den Thread, da wurde das Blockieren von DNS-Aufrufen getestet: BIND DNSBL Problem

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 11:50:09 am »

Quote from: GDixon on December 01, 2018, 10:33:03 am

...
I went to download the eicar test and it let me know it was a virus so that works but I don't see any blocked in the alerts. I used this site ( http://www.wicar.org/test-malware.html ) and it also blocked the flash and java script by only opening completly blank pages. I use firefox and run opensuse tumbleweed.

I probably should also mention I'm only using the WAN and not the lan if it makes any difference?

I cannot test the wicar.org site because Microsoft Windows Defender let my open this :-).
But i know there is no so-called "blockpage" informing you about the incident, only a blank site with timeout, so its probably blocking.

Maybe here is some more info:

Code: [Select]

clog -f /var/log/suricata.log
tail -f /var/log/suricata/stats.log

ATM I dont have enabled the LAN interface in suricata, only DMZ and WAN.
But i see sometimes things are blocked.
Some of the rulesets with malicious actions i set generally to Drop, not only Alert, for example "ET open/emerging-malware" or " ET open/emerging-trojan".

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 11:35:21 am »

Quote from: GDixon on December 01, 2018, 10:22:22 am

I was going through old threads and saw that, went to their site and no mention of continuing problems. I'll turn off the 4 and try your suggestion

which ET rules would you recommend?

thank you

Good that the main problem is now solved :-).
I have a "test prodecure" to check if an ruleset is working:
I click on the ruleset info symbol and open the URL in the "Ruleset details" field in a browser.Most of the abuse.ch URLs bring an HTTP "Error 503 Connection timed out".But that works only for the abuse.ch rulesets, other rulesets pointing to informational pages explaining the rulesets.

I have all of the other rulesets enabled.
And be careful to enable "abuse.ch/URLhaus", when they work again, because this ruleset can crash OPNsense (my experience).

19.1 Legacy Series / Re: ips/ids suricata

« on: December 01, 2018, 09:18:00 am »

All of the abuse.ch lists have problems at the moment (server-problems caused from an OS-update).Try the ET Open lists.

German - Deutsch / Re: SURICATA - 'Enable syslog alerts' funktioniert nicht bei allen IPS-Signaturen?

« on: November 20, 2018, 09:09:41 am »

Das wäre toll!

Viele Grüße toor

German - Deutsch / Re: SURICATA - 'Enable syslog alerts' funktioniert nicht bei allen IPS-Signaturen?

« on: November 17, 2018, 09:39:01 am »

Guten Morgen Franco,
Guten Morgen zusammen,

wollte Rückmeldung geben:

Die unten stehende IPS-Signatur ist eben über 200-mal im Web-GUI Alert-Log aufgetaucht, jedoch nicht lokal in ' /var/log/suricata.log'.

2018-11-17T09:30:22.239741+0100
Alert ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert
Alert sid 2024772
Protocol TCP
Source IP 149.126.4.32
Destination IP 192.168.30.100
Source port 443
Destination port 38323
Interface FRITZBOX
Configured action Enabled / Drop

Noch ein Hinweis:

Die IPS-Signatur hat auch keinen Payload (denn ich habe dies aktiviert, siehe meine Settings unten), denn sie sagt im Endeffekt nur, dass der Aufruf gefährlich ist.
Die in meiner vorherigen Mail genannte IPS-Signatur 2021381 ("ET TROJAN Zberp receiving config via image file - SET") hat auch keinen Payload.

Hier noch meine IPS-Settings:

Enabled: X
IPS mode: X
Promiscuous mode: X
Enable syslog alerts: X
Pattern matcher: Hyperscan
Interfaces: WAN , LAN , DMZ , FRITZBOX
Rotate log: Weekly
Save logs: 4

PS: Nicht wundern, warum die Firewall über 200 dieser Meldungen hat. Auf dem Server des Providers sind viele Kunden gehostet, einige davon haben wohl Malware in Umlauf gebracht, wir rufen hier nur den "guten" Kunden auf :-). Der Provider selbst erscheint mir auf den ersten Blick seriös.

German - Deutsch / Re: SURICATA - 'Enable syslog alerts' funktioniert nicht bei allen IPS-Signaturen?

« on: November 12, 2018, 02:35:30 pm »

Hallo franco,
Habe den Patch heute morgen eingespielt und behalte das die nächsten Tage im Auge; gebe dann wieder hier Rückmeldung.

Aber der hier wurde wieder nicht lokal in ' /var/log/suricata.log' angezeigt:

Alert info
Timestamp   2018-11-12T12:51:41.973979+0100
Alert   ET TROJAN Zberp receiving config via image file - SET
Alert sid   2021381
Protocol   TCP
Source IP 192.168.xx.xxx
Destination IP   217.160.122.62
Source port   6487
Destination port   80
Interface   LAN
Configured action Enabled / Drop

Pages: [1] 2