Messages

31

Intrusion Detection and Prevention / Re: Suricata giving strange messages when enabling

« on: August 22, 2019, 07:01:53 am »

Thats just a warning, as of Suricata 5, things go little bit other. The warning also says how you can suppress this warning.

32

Intrusion Detection and Prevention / [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)

« on: August 20, 2019, 12:12:17 pm »

i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?

I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.

Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)

33

19.7 Legacy Series / Re: block all traffic between VLANs

« on: August 20, 2019, 11:50:58 am »

as they are separate "NICs" i would say no. Its depending on the rules you set. Normally, the ruleset of the vlans is empty, means all blocked (default).

Most of do a target any/any rule per vlan.

34

19.7 Legacy Series / Re: Issues installing 19.7 on APU2D4

« on: August 20, 2019, 09:58:36 am »

had the same issue, changed usb-stick for installation. worked for me.

35

19.7 Legacy Series / Re: Backing up config to Nextcloud

« on: August 19, 2019, 02:30:42 pm »

i just read the docs now, as for me it works since implemented.

In the docs, they create an acess token, but don't need it fr the backup on nextcloud. You can just use a regular user and his password (easiest way, but not the securest, hacking the password offends your whole firewall config).

Or, if using an existing user, you can create the password token and copy it over as login credentials for the user, on which it's been created. Using this, your password of the user itself is "secured".

But: No need of any dav at all for your backup. The error will occur, as opnsense cannot login to your nextcloud server.

36

19.7 Legacy Series / [SOLVED] Re: maltrail: login impossible after changing password

« on: August 16, 2019, 07:41:55 am »

Had to reboot the sense, password then had been accepted.

37

19.7 Legacy Series / maltrail: login impossible after changing password

« on: August 16, 2019, 07:17:40 am »

After changing the sha-256 hash to my password in maltrail, i cannot login any further as admin.

The new password is correct hashed in /usr/local/share/maltrail/maltrail.conf. But nevertheless, wrong username/password is the reply.

38

19.7 Legacy Series / Re: 100% load after install of Sensei on pcengines apu4

« on: August 10, 2019, 07:02:51 am »

i think you are right. It stalls after the launch of elasticsearch.

39

19.7 Legacy Series / 100% load after install of Sensei on pcengines apu4

« on: August 09, 2019, 02:20:30 pm »

after installing sensei, i get a 100% load, on my apu4, which gets unresponsive.

how can i get the logs for further investigations?

40

Intrusion Detection and Prevention / Re: Problem with access between LAN and LAN_VLAN with IPS

« on: August 07, 2019, 04:14:18 pm »

your crossed answer was the right. disable promiscuous mode and the vlan interfaces.

check then, usually its been checked on the physical interface, nonetheless it will show up with your vlanmy config works like this.

41

Intrusion Detection and Prevention / Re: opnips in conjunction to opnsense

« on: July 26, 2019, 07:22:15 am »

@franco: this could explain, why i rested on 18.9 though, but would be good nows. having an idp instead ips with machine learning would be great stuff and much more arguments for opnsense. And yes, it would simplify things...

@bunchofreeds: the project itself seems to be very interesting, having a tap-interface by network was what i expected to have. But as a completely unexperiencend on that, i am glad to have those informations. Read lots of, but never ever got the way.

lots of caveats i think. i prepared now the "WAN"-Port inside my network (it's called mgt, so i believe it's just kind of management port, as the tap shouldn't get an ip, as i read in opnids-forums). So either you have one separate device with one tap on your network, where wan is the effective lan and a tap in behind. I did not quite understand the flow, as i did not find any kind of bridge.

Having multiple taps per network would make an ip on the tap necessary, is i cannot imagine how else routing should be defined.

would you install the opnidp in front of the regular firewall?

Thx

42

Development and Code Review / Re: UniFi Controller

« on: July 24, 2019, 08:50:23 pm »

Works like a charm. But asks for updates on outdated packages on the opnsense afterwards.

43

Intrusion Detection and Prevention / Re: Problem with access between LAN and LAN_VLAN with IPS

« on: July 24, 2019, 08:42:53 pm »

do not use promiscuous. yor traffic will get inspected on the real portport.

i tried that too, but then remarked, that it got inspected on lan instead of vlan-interfaces.

44

Development and Code Review / Re: UniFi Controller

« on: July 24, 2019, 03:50:00 pm »

btw. executing the script as mentionned on the 1st thread, it now also installs openjdk on the opnsense.

45

Intrusion Detection and Prevention / Re: opnips in conjunction to opnsense

« on: July 24, 2019, 07:28:38 am »

first, you are right with work in progres, as the last "release" is 18.9 - but the website says its production. But after installing it, i got the same impression as you.

What i hoped to get is some ideas, like other do, but i makes it easier for other to see how i would like. And just for information: it's a small home network. So, first le me design the existing network:


evil           ---            WAN-Port           ---           LAN                ---    LAN-Network      --- NAS, devices, Wifi
internet               PC-Engines APU4           PC-Engines APU-4             8-Port Switch           several VLAN's
                                (Port 1)                        (Port 3)
                                (DHCP)                         (Private Adress)     
                                (Opnsense 19.7)
                                                         ---           DMZ               ---    DMZ-Network     --- Several LXC Contain.
                                                               PC-Engines APU-4             8-Port Switch
                                                                    (Port 2)
                                                                    (Private Adress)


Remarks: The PC-Engines APU-4 is the same machine for alle mentionned above.

For me, it would be the idea to split suricata off the opensense and having opnids as passive (i know, it's not inline...) monitor.

- Surveying the internal networks
- Surveying the DMZ
- If possible, surveying the WAN-Port too.

I think, having the openids in front of the opnsense would not work for me, as this would make it complicated for servers (web, mail, etc...), as i use letsencrypted. I am searching the "correct" place for the opnids and i still did not really understood how i get it "sniffing" the networks. Do i still have to do some port mirroring/span for this?

Thx for any ideas how others have something equal running. I read lots of information, but sill have a knot.

Ruggerio