"
Can anyone recommend a low profile 4 port Intel NIC that is known to work well with suricata and can be installed in a workstation/desktop system?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#22
General Discussion / Equation Group/ShadowBrokers Suricata Rules
April 21, 2017, 02:40:11 PM #23
17.1 Legacy Series / POLL: IPS
March 05, 2017, 07:07:21 PM
I would like to find out who is running 17.1.2 with IPS enabled and ET rules.
Is it working?
Do you have ET rules triggered and blocked?
Do you have any other rules enabled? Are they triggered and blocked?
If it working, what hardware are you running it on? NIC's etc...
I ask because it doesn't seem to work for me and another person I know running completely different hardware (better) with a fresh install of 17.1.2 has the exact same experience. Built in suricata rules trigger and custom geoip rules trigger, but that's it. None of the downloaded (ET) rules seem to work.
A fresh install of the latest pfsense using suricata on the same hardware results in ET rules triggering and blocking as expected.
I'm trying to figure out the cause and it would help to know what others are experiencing.
Thanks.
Is it working?
Do you have ET rules triggered and blocked?
Do you have any other rules enabled? Are they triggered and blocked?
If it working, what hardware are you running it on? NIC's etc...
I ask because it doesn't seem to work for me and another person I know running completely different hardware (better) with a fresh install of 17.1.2 has the exact same experience. Built in suricata rules trigger and custom geoip rules trigger, but that's it. None of the downloaded (ET) rules seem to work.
A fresh install of the latest pfsense using suricata on the same hardware results in ET rules triggering and blocking as expected.
I'm trying to figure out the cause and it would help to know what others are experiencing.
Thanks.
#24
17.1 Legacy Series / 17.1.2 - Still have IDPS issues
February 23, 2017, 12:05:26 AM
I did a fresh install of OPNSense 17.1 last night and then upgraded to 17.1.2 this morning.
It was pretty much default install.
Just now I enabled IDS and IPS, checked off some ET rules that I know were frequently triggered when I was running IPFire with Snort, hit download and install rules, changed them each to drop action and hit download and apply rules again.
Under alerts, all i see is weird suricata alerts with allowed action.
SURICATA STREAM excessive retransmissions
and a bunch of:
SURICATA Applayer Detect protocol only one direction
but no ET or drop alerts.
I don't understand, am i doing something wrong? I had high hopes for the new realtek drivers with suricata.
It was pretty much default install.
Just now I enabled IDS and IPS, checked off some ET rules that I know were frequently triggered when I was running IPFire with Snort, hit download and install rules, changed them each to drop action and hit download and apply rules again.
Under alerts, all i see is weird suricata alerts with allowed action.
SURICATA STREAM excessive retransmissions
and a bunch of:
SURICATA Applayer Detect protocol only one direction
but no ET or drop alerts.
I don't understand, am i doing something wrong? I had high hopes for the new realtek drivers with suricata.
#25
17.1 Legacy Series / Wireless AC?
February 19, 2017, 05:27:15 PM
Does 17.1 support wireless AC/cards?
#26
17.1 Legacy Series / [SOLVED] Realtek & FreeBSD 11
February 19, 2017, 02:34:42 PM
Is anyone using Realtek nic's with 17.1 (FreeBSD 11)?
I'm wondering if the driver support is any better. I had to move away from OPNSense because IDPS didn't work with these NIC's.
I'm wondering if the driver support is any better. I had to move away from OPNSense because IDPS didn't work with these NIC's.
#27
Hardware and Performance / Would this do a good job running OPNSense?
January 18, 2017, 03:55:32 AM
https://www.supermicro.com/products/system/Mini-ITX/SYS-E200-9B.cfm
It looks like it would be really good.
It looks like it would be really good.
#28
16.7 Legacy Series / IDPS Issues
January 14, 2017, 06:20:54 AM
I recently did a fresh installation of the 17.1 beta.
I had a bunch of trouble trying to get ET rulesets to work.
See this thread: https://forum.opnsense.org/index.php?topic=4249.0
So I gave up and installed 16.7.13 instead thinking maybe it was a beta issue.
I seem to be having the same sorts of troubles getting ET rules working in 16.7.13.
I tried turning on IDS and IPS with some ET rules enabled but I never see any alerts triggered.
I tried switching the rule to drop traffic instead of alert and that didn't work either. It never changed the rules to drop action.
At that point i logged into a shell found the suricata rules files and moved them to a dir in /tmp. Then I tried to redownload the rules but it didn't work. Finally I found a suricata rules updater script in /tmp and moved that somewhere else as well. After that I was able to run the ruleset downloads again.
This time I only enabled the rulesets from this example:
https://docs.opnsense.org/manual/how-tos/ips-feodo.html
The rules downloaded and when I changed the action to drop all the rules changed to drop like I would expect.
I have yet to see any of these rules to trigger alerts/drops but they may be working and just haven't been triggered.
I hesitate to enable any of the ET rulesets again because frankly they just seem to be broken or so sensitive that they aren't worth working with. Am I missing something?
The user defined rules that I have created to drop GeoIP (countries) is working great. They show in the alerts log as expected.
Any help getting ET rules working would be much appreciated because I am stumped at this point.
I had a bunch of trouble trying to get ET rulesets to work.
See this thread: https://forum.opnsense.org/index.php?topic=4249.0
So I gave up and installed 16.7.13 instead thinking maybe it was a beta issue.
I seem to be having the same sorts of troubles getting ET rules working in 16.7.13.
I tried turning on IDS and IPS with some ET rules enabled but I never see any alerts triggered.
I tried switching the rule to drop traffic instead of alert and that didn't work either. It never changed the rules to drop action.
At that point i logged into a shell found the suricata rules files and moved them to a dir in /tmp. Then I tried to redownload the rules but it didn't work. Finally I found a suricata rules updater script in /tmp and moved that somewhere else as well. After that I was able to run the ruleset downloads again.
This time I only enabled the rulesets from this example:
https://docs.opnsense.org/manual/how-tos/ips-feodo.html
The rules downloaded and when I changed the action to drop all the rules changed to drop like I would expect.
I have yet to see any of these rules to trigger alerts/drops but they may be working and just haven't been triggered.
I hesitate to enable any of the ET rulesets again because frankly they just seem to be broken or so sensitive that they aren't worth working with. Am I missing something?
The user defined rules that I have created to drop GeoIP (countries) is working great. They show in the alerts log as expected.
Any help getting ET rules working would be much appreciated because I am stumped at this point.
#29
17.1 Legacy Series / IDPS
January 13, 2017, 03:56:16 AM
I installed the beta tonight and everything seems to be great.
I'm a little confused by the IDPS though.
I enabled IDS and IPS, checked off some ET rule sets and clicked on enable, downloaded and updated rules, then clicked apply.
All I see in the alerts is stuff like this:
"SURICATA STREAM excessive retransmissions"
"SURICATA TLS invalid record/traffic"
"SURICATA TCPv4 invalid checksum"
"SURICATA STREAM Packet with invalid ack"
"SURICATA STREAM ESTABLISHED invalid ack"
None of these appear to be related to the rule sets I enabled.
I then switched all of the rulesets on the main IDS page to input filter drop, clicked on download and update rules and apply again. I still see nothing but hundreds of the above alerts and none from the ET rulesets.
Am I doing something wrong or is this broken?
Thank you.
I'm a little confused by the IDPS though.
I enabled IDS and IPS, checked off some ET rule sets and clicked on enable, downloaded and updated rules, then clicked apply.
All I see in the alerts is stuff like this:
"SURICATA STREAM excessive retransmissions"
"SURICATA TLS invalid record/traffic"
"SURICATA TCPv4 invalid checksum"
"SURICATA STREAM Packet with invalid ack"
"SURICATA STREAM ESTABLISHED invalid ack"
None of these appear to be related to the rule sets I enabled.
I then switched all of the rulesets on the main IDS page to input filter drop, clicked on download and update rules and apply again. I still see nothing but hundreds of the above alerts and none from the ET rulesets.
Am I doing something wrong or is this broken?
Thank you.
#30
17.1 Legacy Series / Upgrading from beta to stable
January 12, 2017, 11:25:26 PM
If I install the beta, will I be able to upgrade to stable when it is released or would a fresh install be required?
#31
16.1 Legacy Series / Vpnuser Graph
April 07, 2016, 12:19:18 PM
Can someone explain what the numbers in this graph mean? With 1 VPN user connected the graph shows 380m and 640m.
What does this mean?
What does this mean?
