Messages

541

Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS

« on: January 21, 2018, 07:30:48 pm »

I have rewritten my original post and eliminated any personal ruleset recommendations based on the responses. I thought this would have helped beginners, not flare up security professionals.
All the info I supplied now is well documented from Suricata sources.

542

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 21, 2018, 01:06:39 am »

It really comes down to your needs. For me I don't need to block messaging or social media. My firewalls are usually just protecting email and web servers, not users.

I am happy with country blocking and my golden rules posted above.

But my real point is, unless you have a powerhouse computer with gobs of memory, your firewall will come crashing down if you apply too many rules to IPS. Thats why I posted a selection of must have rules to keep it simple for users who want to get started using IPS. You may not agree with them but its a good start.

543

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 19, 2018, 09:48:51 pm »

I would be glad to see your recommendations. I am just trying to get a much needed conversation started.
My recommendations are a starting point for someone using OPNsense. Not meant for security professionals.
And most definitely not a complete solution or end all. But I think you missed my point. IPS is just a front end to weed out stragglers. The firewall can do the dirty work. If you bog down IPS it will greatly impede performance and possibly bring down OPNsense. IPS should not substitute or replace a firewall with solid rules. At least OPNsense has IPS. Most other solutions out there only have IDS or broken IPS because they are keeping Snort compatibility..

One other point I am trying to make is that one needs to be cautious on choosing rules to use. If one were to just install all the rules, then one may have issues like the ones I have seen posted.

544

17.7 Legacy Series / Re: New console items

« on: January 19, 2018, 06:18:32 pm »

I wasn't implying it was netmap activity, I was suggesting that this would be a nice feature, if at all even possible, to have the console show netmap drops.

I also suspect a kernel panic that corrupts files. Just haven't been able to pin it down.

All is working nicely now. Also, I had issues mainly because of too many rulesets enabled. See my recent post in IPS.

545

Intrusion Detection and Prevention / Using Rulesets in Suricata IPS

« on: January 19, 2018, 06:00:49 pm »

I would like to start a new topic based on how to get the most from IPS rulesets.

Let me explain why we care about ruleset selections when using IPS.
IPS uses netmap which is a method of capturing packets using circular queues of buffers (netmap rings) implemented in shared memory. In short, netmap can inspect packets before they are delivered to the OS. This 'inspection' is where rulesets are used. The list of rulesets are created from the rulesets you picked and are formulated by a pattern matching algorithm (ie, Hyperscan) into a signature engine. Suricata loads signatures with which the network traffic will be compared using netmap to control packets before they are delivered to the firewall. The size and efficiency of this 'engine' determines how much processing Suricata needs to do. By design, as soon as a signature is 'matched' the inspection ends. So imagine all the good packets have to go through the entire engine before it is released. Suricata loads signatures from this engine using netmap to control packets before they are delivered to the firewall.

We want netmap to do as little as possible because of the resources required to do this work. The firewall can do the grunt work. But keep in mind that quality is better than quantity when it comes to rules.

Choosing IPS rulesets is based on your needs. An email server behind OPNsense does not require the same rulesets as desktop internet users behind OPNsense. Choose wisely as the efficiency will depend on it. Do not use rulesets that do not apply to your usage. I refrain from listing any recommended rulesets since this opens up too much controversy.

Here are links to ruleset explanations. You decide which ones you should enable.
ET Rules: http://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
Snort Rules: https://www.snort.org/rules_explanation

Also take this info into consideration as recommended by Suricata, not me.

These rulesets are useful but often high load rules. Look here for performance tuning
- emerging-web_client.rules
- emerging-netbios.rules

Rules you'll want to look through and consider based on needs
- emerging-policy.rules # this ruleset can create a lot of false positives
- emerging-games.rules
- emerging-p2p.rules
- emerging-chat.rules

Informational rulesets, not recommended for high speed nets
- emerging-icmp_info.rules
- emerging-info.rules
- emerging-shellcode.rules # very noisy
- emerging-inappropriate.rules
- emerging-web_specific_apps.rules
- emerging-activex.rules

Once you have all your rules enabled, you need to edit each ruleset and select 'Change all alerts to drop action'. It is also recommended to monitor the IPS alerts for a while, especially during peak usage times, to see if any legitimate traffic is being blocked. Also check the Suricata log to insure that there are no signature errors. Disable any rules that shows an error. Snort Rulesets are primarily designed for Snort and will produce some errors with Suricata.

###################################################
USEFUL SHELL COMMANDS
kill -USR2 <PID> # Silently reload the Suricata rules. Get the Suricata <PID> from System>Activity
###################################################

If you want to add your own custom ruleset to OPNsense then follow this tutorial
https://forum.opnsense.org/index.php?topic=7209.msg32271#msg32271

546

17.7 Legacy Series / Re: New console items

« on: January 19, 2018, 03:50:57 pm »

I cannot reproduce because it just happens all on its own. I haven't seen it come back.
What I did see was that if I putty into the console, the filterlog did not show up there. As I watched the vga console produce the filterlog, they did not appear on the putty console.
I also saw other system events pop up too.

You know, I really don't mind if this was showing netmap activity. In fact I think that would be a nice feature. But you need the ability to turn it on or off.

The only thing that really bothers me is that there are situations that happen that can not be corrected any other way than a fresh reinstall of OPNsense. Making a lot of rule changes and repeated changes in IPS settings can cause this. OPNsense just starts locking up and restarting services. Seen this at least 4 or 5 times. I find it is best to get all your settings in place, then do a backup, then reinstall OPNsense, then restore the configuration and leave it alone. Very touchy.

547

17.7 Legacy Series / Re: New console items

« on: January 19, 2018, 12:42:17 am »

OK this is weird. After maybe the 5th reboot, these console messages stopped happening. And I made no changes.
I am not feeling too confident in this installation. Had to reinstall because Unbound was constantly restarting. Seen this before when lots of changes are made to the IPS rules.
Any suggestions?

548

17.7 Legacy Series / New console items

« on: January 19, 2018, 12:04:49 am »

This is something new. Or at least new to me.
Just reinstalled OPNsense from scratch. Running mostly default settings.
Now I see lots of log entries in the console.
What am I seeing here? How do I turn it off?
Is this something new with 17.7.12?

549

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 17, 2018, 10:27:49 pm »

I just found something that may be helpful. I tried to do an update on a Windows 2016 server and it just hung. No alerts and no indication on why. Then I remembered something from long ago. That computer had the Windows Firewall service disabled. As soon as I enabled it, the updates started. I do have the Firewall State off for Private and Public networks in the Firewall setting page. So, even though the firewall is set to off, you still have to have the service running to get Windows Updates.

try that.

550

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 17, 2018, 06:45:31 pm »

By the way, I found 3 rules that affect Windows updates
Here are the sids
1:2221000 # SURICATA HTTP unknown error
1:2221021 # SURICATA HTTP response header invalid
1:2221028 # SURICATA HTTP Host header invalid

551

General Discussion / Re: help with getting rules to block not just Alert

« on: January 17, 2018, 06:07:50 pm »

Changing all the rules to drop works but it takes a few minutes to propagate. Doesn't seem to have anything to do with restarting the Suricata service, although you have to restart the service to apply the rules.

552

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 17, 2018, 03:59:52 pm »

For the items that are still being blocked, you still have some drop rules that need to be disabled.
My suggestion was to just stop IPS while leaving IDS enabled then setup a test where you can cause the block then look at the alerts to see which drop rules are being invoked.

My assumption is that you are not seeing the drops in the logs because IPS is on and the packets are dropped before they are logged. I have seen this happen where something is blocked by IPS and there are no drop log entries.

553

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 17, 2018, 12:23:59 am »

If you leave IDS on and just disable IPS, then you may see the drops in the logs that are causing the issues. Then you can disable those.

Having all your rules set to drop will cause lock ups now and then. I think that is why OPNsense sets all rules to alert by default.

What would be nice is to find a list of 'Must Have' drop rules. Would make a great sticky topic.

554

Intrusion Detection and Prevention / Re: IPS+ IDS performance

« on: January 16, 2018, 11:38:43 pm »

So far I only touched on tunables in the guide, but I updated to include other IPS settings. Thanks

555

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 16, 2018, 11:17:58 pm »

Funny you should see any issues since all the rules are set to alert by default.
Did you change any rules to drop?

Also, try turning off IPS and then try the updates and look at the alerts it generates.
I may be incorrect, but I think that when using IPS, drops are not logged. They are dropped.