Messages

106

16.7 Legacy Series / Re: IDPS Issues

« on: January 15, 2017, 07:31:35 pm »

That is too bad. I'd love to continue using opnsense but I'll have to wait until I can replace the hardware with Intel NICs.

 

Thanks. Great job on opnsense by the way. Really solid product.

107

16.7 Legacy Series / Re: insight : no data availabe

« on: January 15, 2017, 04:26:57 pm »

I experienced this on 16.7.13 as well.

108

16.7 Legacy Series / Re: IDPS Issues

« on: January 14, 2017, 11:22:59 pm »

I'm wondering if this is an issue with BSD and Realtek NIC drivers.

The same NIC's seem to work fine with IDS on a Linux based firewall.

109

16.7 Legacy Series / IDPS Issues

« on: January 14, 2017, 06:20:54 am »

I recently did a fresh installation of the 17.1 beta.

I had a bunch of trouble trying to get ET rulesets to work.

See this thread: https://forum.opnsense.org/index.php?topic=4249.0

So I gave up and installed 16.7.13 instead thinking maybe it was a beta issue.

I seem to be having the same sorts of troubles getting ET rules working in 16.7.13.

I tried turning on IDS and IPS with some ET rules enabled but I never see any alerts triggered.

I tried switching the rule to drop traffic instead of alert and that didn't work either. It never changed the rules to drop action.

At that point i logged into a shell found the suricata rules files and moved them to a dir in /tmp. Then I tried to redownload the rules but it didn't work. Finally I found a suricata rules updater script in /tmp and moved that somewhere else as well. After that I was able to run the ruleset downloads again.

This time I only enabled the rulesets from this example:

https://docs.opnsense.org/manual/how-tos/ips-feodo.html

The rules downloaded and when I changed the action to drop all the rules changed to drop like I would expect.

I have yet to see any of these rules to trigger alerts/drops but they may be working and just haven't been triggered.

I hesitate to enable any of the ET rulesets again because frankly they just seem to be broken or so sensitive that they aren't worth working with. Am I missing something?

The user defined rules that I have created to drop GeoIP (countries) is working great. They show in the alerts log as expected.

Any help getting ET rules working would be much appreciated because I am stumped at this point.

110

17.1 Legacy Series / Re: IDPS

« on: January 14, 2017, 05:04:30 am »

I got rid of 17.1 beta and installed 16.7 production.

Same results. Fresh install and very basic configuration.

I enabled IDS (not IPS yet), applied, enabled some ET rules, downloaded and updated rulesets...

Again, I get alerts like this:

"SURICATA STREAM excessive retransmissions"

But none from the downloaded ET rules. I don't understand why it isn't working.

Any help would be appreciated.

111

17.1 Legacy Series / Re: IDPS

« on: January 13, 2017, 04:39:23 am »

I am seeing alerts again... however they are back to the same alerts I mentioned in the original post and nothing from the ET rules I enabled.

I don't get it.

I recently switched to OPNSense from another firewall that was using ET rules and I would see alerts like every 5 to 10 minutes for the same rules.

112

17.1 Legacy Series / Re: IDPS

« on: January 13, 2017, 04:31:29 am »

So I cleared the logs and tried to turn IDS/IPS off and then back on again.

Now I get no alerts. I tried turning just IPS off too and no luck. I get no alerts now.

113

17.1 Legacy Series / IDPS

« on: January 13, 2017, 03:56:16 am »

I installed the beta tonight and everything seems to be great.

I'm a little confused by the IDPS though.

I enabled IDS and IPS, checked off some ET rule sets and clicked on enable, downloaded and updated rules, then clicked apply.

All I see in the alerts is stuff like this:

"SURICATA STREAM excessive retransmissions"
"SURICATA TLS invalid record/traffic"
"SURICATA TCPv4 invalid checksum"
"SURICATA STREAM Packet with invalid ack"
"SURICATA STREAM ESTABLISHED invalid ack"

None of these appear to be related to the rule sets I enabled.

I then switched all of the rulesets on the main IDS page to input filter drop, clicked on download and update rules and apply again. I still see nothing but hundreds of the above alerts and none from the ET rulesets.

Am I doing something wrong or is this broken?

Thank you.

114

17.1 Legacy Series / Upgrading from beta to stable

« on: January 12, 2017, 11:25:26 pm »

If I install the beta, will I be able to upgrade to stable when it is released or would a fresh install be required?

115

Tutorials and FAQs / Re: Xbox One - Open NAT Tutorial

« on: August 18, 2016, 01:31:48 am »

Thanks, very cool! I was thinking maybe we should make an "How-to" forum and move this over there?


Cheers,
Franco

Franco,

I'd like to see how-to forum as well. Moderation will be important. We don't want it to get filled with junk or irrelevant information.

116

16.7 Legacy Series / Re: not getting IP via DHCP on WAN

« on: August 17, 2016, 03:13:36 am »

My ISP will only issue an IP to one mac address. In order to change routers/interfaces I need to make sure I release my IP first. If I don't, I won't get an address.

That being said, is it possible that your interfaces are swapped when using OPNsense? Your LAN and WAN interfaces could be reversed and your ISP won't issue the IP to the wrong interface.

Just an idea. Good luck.

117

16.1 Legacy Series / Re: Vpnuser Graph

« on: April 08, 2016, 12:20:36 pm »

http://imgur.com/1ROA5f4

118

16.1 Legacy Series / Vpnuser Graph

« on: April 07, 2016, 12:19:18 pm »

Can someone explain what the numbers in this graph mean? With 1 VPN user connected the graph shows 380m and 640m.

What does this mean?