Messages

16

Intrusion Detection and Prevention / Re: Suricata experts, help :)

« on: February 19, 2018, 04:45:11 pm »

Nu mai am alte idei... sorry.

I am testing this one on Suricata 4.0.0 under diff firewall fork and I get hit on this rules.

17

Intrusion Detection and Prevention / Re: Suricata experts, help :)

« on: February 19, 2018, 03:16:33 pm »

hmm... what about if you add the test domain:

Code: [Select]

drop dns $HOME_NET any -> $EXTERNAL_NET !53 (msg:"Admin-Rule2 !53 dns Query"; dns_query; content:"google"; nocase; sid:9900204; rev:2;)
p.s.
I hope it is not answer from local dns cache...

18

Intrusion Detection and Prevention / Re: IDS/IPS Clarification needed

« on: February 19, 2018, 09:11:18 am »

If we look at this rules will see that work by search in http string for descriptive content word, this will not work for https ( most sites use https now) and for media link; so yes you can say are almost useless because will block any site that have this words including tutorials that describe how to block adult sites.

Code: [Select]

# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2017, Emerging Threats
#  All rights reserved.
# 
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
# 
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
# 
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-2.0-enhanced.

#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; uricontent:"&safe=off"; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn early teen"; flow: from_server,established; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001348; classtype:policy-violation; sid:2001348; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn zeps"; flow: from_server,established; content:" zeps "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001387; classtype:policy-violation; sid:2001387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn r@ygold"; flow: from_server,established; content:" r@ygold "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001388; classtype:policy-violation; sid:2001388; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn childlover"; flow: from_server,established; content:" childlover "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001389; classtype:policy-violation; sid:2001389; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE free XXX"; flow: to_client,established; content:"FREE XXX"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001349; classtype:policy-violation; sid:2001349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE hardcore anal"; flow: to_client,established; content:"hardcore anal"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001350; classtype:policy-violation; sid:2001350; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE masturbation"; flow: to_client,established; content:"masturbat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001351; classtype:policy-violation; sid:2001351; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE ejaculation"; flow: to_client,established; content:"ejaculat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001352; classtype:policy-violation; sid:2001352; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE BDSM"; flow: to_client,established; content:"BDSM"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001353; classtype:policy-violation; sid:2001353; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (1)"; flow: from_server,established; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001392; classtype:policy-violation; sid:2001392; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (2)"; flow: from_server,established; content:"BEGIN SEXTRACKER CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001393; classtype:policy-violation; sid:2001393; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE anal sex"; flow:to_client,established; content:"anal sex"; nocase; classtype:policy-violation; sid:2101317; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck fuck fuck"; flow:to_client,established; content:"fuck fuck fuck"; nocase; classtype:policy-violation; sid:2101316; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck movies"; flow:to_client,established; content:"fuck movies"; nocase; classtype:policy-violation; sid:2101320; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore anal"; flow:to_client,established; content:"hardcore anal"; nocase; classtype:policy-violation; sid:2101311; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore rape"; flow:to_client,established; content:"hardcore rape"; nocase; classtype:policy-violation; sid:2101318; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hot young sex"; flow:to_client,established; content:"hot young sex"; nocase; classtype:policy-violation; sid:2101315; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE naked lesbians"; flow:to_client,established; content:"naked lesbians"; nocase; classtype:policy-violation; sid:2101833; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE up skirt"; flow:to_client,established; content:"up skirt"; nocase; classtype:policy-violation; sid:2101313; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)



19

Intrusion Detection and Prevention / Re: Suricata experts, help :)

« on: February 18, 2018, 03:09:01 pm »

Salut,

Interesting, I have no idea why it is not working your rule.

Can you please try if any of this rule work:

Code: [Select]

drop udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"Admin-Rule !53 dns Query *.* domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|."; fast_pattern; distance:0; classtype:bad-unknown; sid:9900202; rev:2;)
edit maybe better:

Code: [Select]

drop dns $HOME_NET any -> $EXTERNAL_NET !53 (msg:"Admin-Rule2 !53 dns Query"; dns_query; sid:9900204; rev:2;)

20

Intrusion Detection and Prevention / Re: IDS/IPS Clarification needed

« on: February 15, 2018, 05:13:48 pm »

It is almost a lost battle...
First I was used to block domains and IP's from all the sources with adult-porn-unapropriate lists I was able to find >1.000.000... still lot of sites escaped filtering.
Now I am using my own DNS server with lists only for ads-coinminer-malware-porn... and with resolver to configured OpenDNS - umbrella and it just work.
All LAN clients that are restricted they use this DNS server and are also redirected to this internal DNS server so they can't ignore it, the rest of them will use firewall unbound resolver with different blocking lists for ads-coinminer-malware...

21

General Discussion / Re: Migrating from pfSense

« on: February 05, 2018, 11:59:44 am »

I was testing in VirtualBox importing config from pfsense 2.3.x:
- my problem was that if I imported all settings or only system section with users data-account-password I was unable to log in GUI, for some reason old passwords from pfsense 2.3.x did not work in opnsense 18.1.

To solve this problem I have to add original/default root user and password from a saved OPNsense config, then I can log and after that I can change passwords back for all imported users.

p.s.
Importing all settings seem to retain all old packages and data even are not used by OPNsense so I do not recommend.

suggestion:
will be nice to have option to select multiple sections at import list.

22

General Discussion / Re: How pathetic!!

« on: February 02, 2018, 09:27:17 pm »

Nope it is not that easy this will disable the widget update check on main screen only, and I already had that checked from along time ago.

I did some hack ( add comment to line ) to disable the check in:
/usr/local/sbin/pfSense-upgrade -> # pfsense_upgrade=$(realpath $(dirname $0)/../libexec/$(basename $0))
and
/usr/local/www/system_update_settings.php -> // exec("/usr/bin/fetch -q -o {$g['tmp_path']}/manifest \"{$g['update_manifest']}\"");

also changed the repo address and keys in each file from dir:
/usr/local/share/pfSense/keys/
/usr/local/share/pfSense/pkg/repos
...

edit:
better to disable forever the binary that generate the ID: https://www.reddit.com/r/PFSENSE/comments/6gq84t/closed_source_for_netgate_unique_id_generator/
rm /usr/sbin/gnid

then to add a startup script that delete the uniqueid:
rm /var/db/uniqueid

after a reboot it is silence for the moment even if I navigate to update and package menus.

edit2:
bogons files are also downloaded from pfsense site and because are obsolete and dangerous you have to edit:
/etc/rc.update_bogons.sh
to point it directly to source:

Code: [Select]

v4url=${v4url:-"http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"}
v6url=${v6url:-"http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt"}
...

23

General Discussion / Re: How pathetic!!

« on: February 02, 2018, 04:07:17 pm »

Any sw that send data from user device without user knowing and accepting this it is bad.

24

General Discussion / Re: How pathetic!!

« on: February 02, 2018, 03:31:13 pm »

OK I edited and only facts remained in post.

25

General Discussion / Re: How pathetic!!

« on: February 02, 2018, 02:51:33 pm »

As you can see in this print screens one pfsense firewall try to phone home every 10 minute after was unable to contact HQ C&C, it has the same IP as they banned. Unbound Resolver seem that it is not helping here...



Since pfsense entered Serial and Netgate Unique ID in to a community release advertised as OpenSource they can and they do track everybody who use this sw.... if you go to package they will know exactly what package you have installed and using.
If you post in pfsense/netgate forum they will know exactly your pfSense installation, package if it is linked to firewall IP.

< edited >

26

General Discussion / Re: How pathetic!!

« on: February 02, 2018, 10:30:47 am »

Hello,

I was disappointed when I found about this netgate story and started to investigate a little, finally I was banned from dark side forum after they read my... Private Messages. They didn't deleted my account as this can be seen by all users...  wow what a surprise. Not a problem as I don't want to be associated in any way with dark forces.

The interesting thing is that after I set-up in different countries a monitoring log for few pfsense firewalls v2.3.x where I don't have anything related to them active: no update, ntp, dns...  and still found it is chatting to dark HQ without my consent ?!
I tracked and blocked:
162.208.116.0/22
208.123.73.0/24

and this are the destination IP where dark firewalls try to connect like crazy now without any notification:
162.208.119.40:443
162.208.119.41:443
162.208.119.38:53