Messages

That looks like gonzopancho speaking... taking things to the extreme
Who is not liking you? We were having normal conversation

Ah, yes, knee jerk off topic ad hominem attack. Unfortunately, I am not impressed when you talk about the guy who compared me to Hitler in his "parody" opnsense.com page because that's what people do to kill competition before it gets popular because open source is the best am I right. ;)


Cheers,
Franco

You see, you repeat the behaviour, you are on defensive, you pic one topic of the post, ignore the rest and you take it to the extreme.

If you can not argument what the people is saying in this post at least be more respectful. People is giving feedback about features in opnsense and you act like a kid because you don't agree...

If your priority with opnsense is not make it comercially viable via support, say it, make a blog about it, so we will understand many things and I guess people will stop request things that will represent a significant step fordward in terms of features. I guess some minor proyects like sensei will end up being more succesfull in economic terms.

And honestly I don't really care your stupid war with gonzopancho but I guess everyone knows that it was not your fault, and we should thank you all for what you did.

I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)


Cheers,
Franco

That looks like gonzopancho speaking... taking things to the extreme
Who is not liking you? We were having normal conversation

I haven't seen a single suggestion that is not available in any comercial firewall.

@mb

Since sensei is based on ELK here are some ideas to include in sensei, both quite impressive. This will provide more added value to sensei over the standalone opnsense.

https://github.com/3ilson/pfelk
https://github.com/robcowart/elastiflow

I know this is mostly opinion and preference, but may I ask why -- with a working solution at hand -- there is a need to make OPNsense into something it is not?

In my view there is a lot of grey area in the requirement to have utterly advanced fine grained GUI access to something you can set up by hand just as well or better.


Cheers,
Franco

Because not everyone knows how to do it "by hand", so if you add more useful functionality to the interface is easier

Well probably sensei will take care about this, but rule and policy management has a lot of space for improvement.

I'm not critizicing the proyect, in fact I give you all thanks for what you are doing, I was just giving my opinion after following this proyect and forum for years.

For example if you want an idea, I would love to have something like this in opnsense and I think a lot of people would appreciate it, and it will provice much more added value and "customer" value percepcion to the current IPS implementation.
https://github.com/StamusNetworks/scirius
I don't know how hard or easy would be to merge this in opnsense since it's open sourced.

Another example would be to know what you plan to do with Suricata's JA3/JA3S support, TLS/SSL and newest protocol anomaly detection capabilities... are these enable? are these in the interface available?, considering that most people doesn't offload the SSL traffic this must be a priority

Well considering that it is probably not even possible I have oppened this
https://github.com/opnsense/core/issues/4065

Ah yes, now it's all clear.  8)

Well you have to admit that to facilitate flexibility and troubleshoting it doesn't help to have a few suricata options exposed in the interface, and a quite poor log management.

So Suricata (or snort) in pfsense has hundreds of settings and posibilities exposed to the interface, while in opnsense is basically the basic stuff, on and off and a few more settings

Just take a look to all the documentation related to snort and all the settings and posibilities available.
https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort

Then you have this forum full of people complaning that can not do this or that, or can not troubleshoot a problem, or can not customize a setting, or something is not working...

Really? no way? dont the firewall rules have an ID or something?

Is there  way to filter the logs to see only the ones related with a rule?
This is basic and avaibale in any other firewall, it is possible in opnsense?

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.

Unless I'm misunderstanding the documentation but I don't think that's correct, if you enable IDS on the WAN the packets will have been through NAT and all the alerts will appear to be from your internal network - the documentation is here: https://docs.opnsense.org/manual/ips.html#choosing-an-interface

I have a recollection that there was a recent post from Ad that said you should use in LAN interface for IDS but feel free to correct an amateur if you think I've got it wrong. :)

[EDIT]Sorry, I forgot to mention that if you use the internal interface that you should add the WAN address to your h'home network' in the Advanced settings, further info in the "Update (9/14/2019)"  section of this article: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

So in order to work correctly I have to add my public IP addess when I select WAN.
If my IP address I dynamic can I use a Dinamic DNS service? or what solution do I have?

I think most people is runnning WAN without adding the public IP

80MB/s is around 700Mbit .. isn't this good? :)
If you really need this throughput why not investing time tweaking the rules?

I'm quite sure 20000 rules are from 2015 and not affecting your systems ..

You need a high clock rate, i3 with 4Ghz might be faster than E3 with 2Ghz and more cores.

It might be a good idea to be able to configure the rules having them grouped by technology or date. For example if you usually patch you system maybe you can discard all the rules related with software vulnerabilities older that 1 year.
If pfsense many useful features are exposed in the interface like

https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#define-servers-to-protect-and-improve-performance
https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#select-which-types-of-signatures-will-protect-the-network

The 90% of the stuff in https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort are not available in opnsense and basically you have similar options available in suricata to be exposed.

https://www.youtube.com/watch?v=KRlbkG9Bh6I

@mb

If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?

Does sensei allows the load external IP block lists?

For when is planned the integration with suricata 5 in opnsense?

Are you doing the app control with snort?

[@mb]

@mb (again) .....

just saw the SOHO pricing, $99/yr is very competitive.

the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.

for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.

per the current structure, that would cost ~$1200/yr, which is completely unreasonable.

no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.

security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.

while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.

would you consider raising the paid SOHO plan limit to 50?

-- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).

LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)

thanks!

(likely a big thanks from everyone!!  :) )

@mb

He is totally right I have IoT at home so I have more thant 50 IP's to control and we are 3 in the house and one of them is a kid 3 yeras old, so the home plan is not for me.
The home version is aready limited in features to consider it for an enterprise use, in fact is hard to consider opnsense for enterprise use. So I wouldn't limit the home version based on number of devices, it's already limited in must have enterprise features.

In addition I consider the price a little bit high considering you have sophos XG home edition for free or that you can build something similar in terms of protection with pfblockerng.

By the way Sophos XG Home edition has no limit in IP's or devices, the only limit is that only uses 4 Cores and 6 GB of RAM.

For less than 30$ per year I would think about it but considering that Sophos XG home edition is free...., or maybe 100$ for a lifetime plan for home users.

https://forum.opnsense.org/index.php?topic=11341.0

This is still an issue, and the workaround doesn't work.

For things like this are why we all end up comming back to pfsense after each release.