Messages

451

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: January 22, 2018, 08:01:13 am »

Agreed. And that's good for OPNsense. They have signed with qnap in the last past days. Although the idea seems, at first, nice, i would not trust my network's security to a vm inside a NAS (if i remember correctly, it will run inside a vm). Not to mention performance. Imagine the bottlenecks in a busy network. But... it might work for small businesses. Anyway, too many failing points with this design. The proper way to do it will always be 2 dedicated physical machines with high availability enabled.

452

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 22, 2018, 07:45:08 am »

Figured it had something to do with alerting (the fact that i can't see what is blocked and what is not, from previous experiences with suricata). Also, without this change in the config file, you couldn't see it anyway, even if you had the rule, as it was not logged (dropped silently).

Anyway, it's all good now :-) Thank you both!

453

Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS

« on: January 21, 2018, 08:45:29 pm »

If it means anything, I think you did the right thing. A properly written piece of documentation (which we can extend, if you want to).

Thank you for taking into consideration my advices.

454

General Discussion / Re: OpenVPN not connecting from WAN

« on: January 21, 2018, 07:55:12 am »

This is no longer the original issue (tls handshake failure), right?
That new error might suggest that something is killing your client somehow.

Are both LAN IP pools 192.168.0.0/24 ?

455

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 21, 2018, 07:22:03 am »

@mimugmail:
Awesome work!

But this isn't working for me, I get this for each of the 3 new rulesets:

Code: [Select]

21/1/2018 -- 08:18:37 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "social-media".  Invalidating the Signature


456

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 21, 2018, 07:06:53 am »

[comment not valid anymore]

My memory consumption is (and it is not that relevant as I have many services activated):

Mem: 164M Active, 375M Inact, 594M Wired, 48M Buf, 6517M Free
70294 root             8  20    0  1720M   293M nanslp  3   4:19   1.22% suricata

LAN clients online right now: 14 (among them 2 servers)
Why is this so bad?

I don't agree with the idea of cherry-picking rules under the pretty strong title of "recommended". I don't see a "by who", I don't see references, studies, nothing. I do agree, however, of explaining to users the possibility of high CPU/Mem usage if this and that. And I also agree with building a list of rules which might compromise/brake critical/common services/operations, without recommending to disable them. Let the user choose. Your post, as it is, is dangerous, especially to newbies.

Personally, I strongly advise users to consider the following:
1. IDS/IPS requires a small learning curve (including hardware requirements)
2. The best and fastest way to learn is to embrace the problems which might arise (connectivity mostly), all of them, one by one, and try to find the cause and then fix them (by disabling rules they don't need)
3. I do not recommend disabling entire rulesets, but rather individual rules, the ones that negatively impacts your environment (because there will be, depends on your infrastructure how many)
4. Once your IPS rules are settled, managing IPS will be easy and on a less frequent basis.

In this way, you will no longer be responsible (morally at least) of weakening the security of your readers.

457

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 20, 2018, 09:29:46 pm »

I don't know.. yet
Hopefully, it's enough, I'll let you know in a few days, probably enough time to generate lots of packets

I am seeing some dropped packets right now, don't remember seeing them before, so it might work

Thank you Franco!

458

Development and Code Review / Re: PowerShell Module for OPNsense api

« on: January 20, 2018, 12:37:00 pm »

I missed this post but glad i discovered it.
I will definitely take a look.

Thank you for your hard work!

459

Development and Code Review / Re: dark theme first look

« on: January 20, 2018, 11:48:29 am »

I'm already using it 

Thank you for your work!

460

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 20, 2018, 11:00:05 am »

As it turns out, not all dropped packets are logged.
I have modified suricata.yaml to log all of them.

Setting these sids to 'Alert' fixed my Windows Updates issues:

2023818
2020573

@Franco: may i suggest to revise this part of the suricata config? It will avoid a lot of confusions...

461

General Discussion / Re: OpenVPN not connecting from WAN

« on: January 20, 2018, 12:56:02 am »

He's probably in a double NAT-ted environment, but i don't think the connection is the issue here. It looks like the vpn clients connect to the second router's wan from the first router's private ip pool, which is fine. His tls handshake fails, so he managed to connect to the vpn server.

@vividou: did you verify/try the stuff from reply #6?

If it's still failing (modify then revert each one, one by one, then both):
1. if you put the server into Remote Access (User auth) mode - is it working?
2. if you export the client not to verify the server cn - is it working?

462

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 19, 2018, 11:40:37 pm »

[comment not valid anymore]

As I said, I prefer not to debate, nor discuss reasons, because of one simple thing: you can't. The term 'security' is relative (in this context), and because of this, I can only recommend anybody to use a product to its full extent.

The solution will never be to disable half of the functionality because it's not working properly. If it isn't, find the fault and try to fix it somehow, or in the worst case, try to work around the issue. You see, I wrote issue, not issues (plural), it was intentional. Take it step by step, I did not cut the entire product in half. If you have to cut the product in half for it to work, quit, find another job, or you can always simply choose to just fix the damn issue. This is how things work in the software business (from a technical pov at least).

It's not the security specialist's fault, who has spent many hours to discover the vulnerability, get to build an accurately functioning PoC and in the end write the rule, that my windows updates service is not working properly. It's mine, because either I cannot use it properly, or it simply isn't compatible with WU and I did not choose which one to keep. It's my choice whether or not to disable the rule or continue using it as it is. I will never recommend disabling random rulesets (because they are random) to anybody.

If OPNsense is falling apart by the use of something they choose to integrate, they should fix OPNsense, not dismiss half of the other product. If they can't, they should not integrate it. You just can't have it both ways. It's either working or it's not. If limits need to be applied, that's a different story and a long development road to decide how many things and what to limit. But there aren't any limits. Just to be clear, I fiddled a lot with IDS in the OPNsense implementation lately and OPNsense never failed on me. Suricata might have, but never OPNsense.

The firewall is one thing, the IDS is another. They are entirely two different products. They both do the same thing, drop stuff, but on entirely different levels. It's just like comparing an airplane with a bicycle. Both carry passengers, but in completely different ways. In other words, you can't replace a bicycle with an airplane. I definitely did not say that. The firewall can't do the things an IDS does, it's not the same logic behind the two. So although I understand what you wanted to say, I can't comprehend the logic behind it, as you can't technically compare the two.

I'm not here to compete, demonstrate anything, play mind or word games, measure proudness levels and I'm yet to surprise my mother-in-law. I've grown out of such things.

463

Intrusion Detection and Prevention / Re: Recommended Rules in Suricata IPS

« on: January 19, 2018, 09:17:29 pm »

[comment not valid anymore]

Respectfully, I think this list is/was constructed with anything but security in mind. I cannot see the signature of a security analyst here just be looking at the CVEs many of the "not recommended / should stay away from" rules cover.

While I care for performance and throughput quite a lot, over the 10+ years working with security products (as in actively involved in the development of such products), where vulnerabilities, exploits, viruses and all sorts and forms of malicious activities were involved, including clients (people - humans - many mistakes) that our products protected (which naturally meant research about what is worth developing - selling points but also quality features), i can conclude:

1. There cannot be a list of vulnerabilities one can just ignore
2. There are (and will be) measures to prevent attacks that will interact with legitimate data and overall performance, one may need to manually supervise
3. There is no such thing as a security guru to deploy good security; there is, however, a level of security one may be aware of (or not), proved to be sufficient (until it's not)
4. Back to the list: many rules here are old, will protect against old vulnerabilities most of you probably already patched, but there is absolutely nobody in this world (well, almost) who will tell you to ignore them without any serious research on the matter, in your (you, the end-user) particular case, for your particular environment, without an assessment; it's just not healthy

Again, the point of my comment is to raise your awareness about security best practices, which is, among others, to analyze the information you get from here and there. I do not wish to get into a debate with the author (or anybody) nor to disrespect his work, as I'm sure this list needed some googling. At the end of the day, it's not my digital environment that these rules (or the absence of them) will secure (or not).

But.. please don't play with your security. You will never know when and how it will let you down.

I do apologize to dcol if me or my comment wronged him in any way.

Cheers!

464

Tutorials and FAQs / Re: Fast and easy way to protect your home and/or small office network with OPNsense

« on: January 19, 2018, 03:35:58 pm »

New update: added some more debugging steps.

465

General Discussion / Re: How to open specific ports?

« on: January 19, 2018, 03:01:10 pm »

nope, i have unchecked those and then everything is blocked.

It should be exactly like in this snapshot: https://docs.opnsense.org/_images/disable_offloading.png

After you have verified that it is, reboot your OPNsense box.

1)
Then, go back to Services: Intrusion Detection and disable IPS mode.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

2)
Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

3)
Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

4)
Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.

5)
Verify the joomla login page.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Verify the joomla login page again.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Repeat these steps until the joomla login page is fully working.

Please report your findings for each step.