Messages

Hallo,
ich grübele wie ich das dem IPS beibringen könnte.

Derzeit wird diese Rule geblockt.
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219

Kann ich diese Rule für bestimmte LAN IPs wieder freigeben?
Wir haben qualysys scanner und monitoring probes wo den port per ssh scanner "sollten".

Hab bisher nichts gefunden. Entweder oder gibt es. Aber für alle wollte ich das eben nicht erlauben müssen.

Danke!
gruss armin

Hello,

you can setup the rules with priority and monitor the hardware/link usage while tightening down the rules.
Remember that the policy applies only to the enabled and downloaded rules.

Policy based / all rules enabled.
Priority 0 would be highest while 100 would be low.
Example 1 (block to alert)
Prio 10 Alert - selected rules based on your needs
Prio 100 Block - all rules, all actions

Example 2 (Alter to block)
Prio 10 block - selected rules based on your needs
Prio 100 Alert - all rules, all actions

Example 3 (default Altert or block) See screenshot
Prio 10 - sort and block for Severity Rules (critical and major)
Prio 20 - sort and alert for Severity Rules (informational and minor)
Prio 30 - sort and alert for Performance (significant) if your hardware is to low
Prio 40 - sort and block for Performance (moderate and low)
Prio 100 - Sort all block or alert all depending if you want allow or deny in first place.


Rule based:
Just enable and download the rules you need.
For me i have choosen all attack rules and then set a single policy to drop them all.
here is my selection:
ET telemetry/emerging-activex 2021/03/10 9:37
ET telemetry/emerging-attack_response 2021/03/10 9:37
ET telemetry/emerging-current_events 2021/03/10 9:37
ET telemetry/emerging-dns 2021/03/10 9:37
ET telemetry/emerging-dos 2021/03/10 9:37
ET telemetry/emerging-exploit 2021/03/10 9:37
ET telemetry/emerging-malware 2021/03/10 9:37
ET telemetry/emerging-misc 2021/03/10 9:37
ET telemetry/emerging-mobile_malware 2021/03/10 9:37
ET telemetry/emerging-netbios 2021/03/10 9:37
ET telemetry/emerging-rpc 2021/03/10 9:37
ET telemetry/emerging-scada 2021/03/10 9:37
ET telemetry/emerging-scan 2021/03/10 9:37
ET telemetry/emerging-shellcode 2021/03/10 9:37
ET telemetry/emerging-trojan 2021/03/10 9:37
ET telemetry/emerging-user_agents 2021/03/10 9:37
ET telemetry/emerging-web_client 2021/03/10 9:38
ET telemetry/emerging-web_server 2021/03/10 9:38
ET telemetry/emerging-web_specific_apps 2021/03/10 9:38
ET telemetry/emerging-worm 2021/03/10 9:38
ET telemetry/tor 2021/03/10 9:38

Single policy to block them all. Policy will overwrite the defaults for all the rules.

I would propose to set the Priorities  beginning with 10 and any other plus 10 so you have space in between and would not need to shift around rules.

Hope this helps.
Ah btw. You can move the IP list rules like SSL blacklist, CC botnet, dshield etc. to your firewall and import the lists with URL tables. here you can use floating rules. This will reduce the performance needed by your IDS/IPS.
This is how i handled the performance high stuff from the IP lists.

The IDS/IPS packet filter does come before the firewall filter in the traffic flow. As notice. But if you block IPs there would be no need to scan them for behavior. So IPs moved to firewall and attacks enabled on the IDS/IPS.

hope this makes sense :)
cheers A

armin

Hello,
my plan is to block
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219
Rule but allow it for a specific set of IPs.
We do run internal quality scanner and monitoring probes.

Is this somehow possible as the rule can "just" be set to allow (alert) or block?

thank you very much!
cheers A

Gracie Mille Franco!

Franko,
thanks!

i did reinstall it through plugins but it still shows misconfigured.
So if its "just cosmetics" i would say it does look ugly but works :)

i will wait for the update and uninstall it with a install later and restore backup.

thanks
armin

[Thank you both!]

Thank you both!

I reset the plugin and rebooted but it still shows as "misconfigured"

***GOT REQUEST TO RESYNC***
Ignoring invalid metadata: /usr/local/opnsense/version/sensei
Ignoring invalid metadata: /usr/local/opnsense/version/sensei-db
Ignoring invalid metadata: /usr/local/opnsense/version/sensei-updater
***DONE***

Anything i else can do?
Would i need to reinstall and restore my backup for sensei?

thanks
armin

[misconfigured]

Hello,
just updated the firmware for OPNSense to OPNsense 21.1.3-amd64.
Took a look on the plugins later and saw the attached screenshot.

Anything i did wrong? Anything how to fix it?

os-sensei (misconfigured)   1.7.1   81.6MiB   
os-sensei-db (orphaned)   1.7.20210208135119   64.7MiB   unknown-repository
os-sensei-updater (misconfigured)   1.7   4.45KiB   SunnyValley   OPNsense Sensei Plugin Updater   
os-sunnyvalley (installed)

I do not use the cloud thing from Sensei. So local usage only. Free Edition

thanks
armin

[46.102.190.100]

Morning Pete,
please forgive me this back and forward..

So let's take out an IP assuming it was blocked and you would need to check if it is somewhere in a block list.

https://www.spamhaus.org/drop/drop.txt
-> in this list there is the network 46.102.190.0/24 ; SBL493880  --> we take out the 46.102.190.100 which would be in the network /24.

You have imported the list through an URL Tables in your aliases.
Blacklist_Spamhaus_Drop   URL Table (IPs)   Spamhaus Drop   https://www.spamhaus.org/drop/drop.txt

Firewall shows drops/blocks for 46.102.190.100. If you set a category on your Blacklist drops the firwall will tag them and show the category as label.
Here you can navigate to Firewall -> Diagnostic -> pfTable and select the    Blacklist_Spamhaus_Drop list.
In there you can search for the IP or the network. So 46.102.190.x
The result should show you the included network.

Actually you could merge your lists into one URL table by adding all the links into one Alias.
The List will get bigger but it should work as well. You then would need to check only one list.

I attach some screenshot.

Pete, i hope this helps.
We could have a call if you want. Drop me a PM.
cheers armin

Well, ok i think i can follow you.

So about having source doubled in the URL Alias. Here i can say that the firewall can handle much more tables (networks and hosts) than the IDS/IPS even when you have double entries in different tables. If the hardware is scaled enough it is not a problem at all. I do run an i7 CPU with 32GB memory. Usage is about 5 to 10%.

About these Services (Spammhaus, Urlhaus, dShield) you have to "kind of trust" what they are doing by listing these network in their block lists. You cannot ensure that they are always accurate nore up to date. But to be honest.. You have to this with OPNSense as well :)

If you check https://www.spamhaus.org/organization/ for example. They offer their service for a quite long time. Of course everyone can make mistakes by listing something which might not need to be listed and so blocked.

FireHol is a collection of some if the services and they state "This site is provided as-is, without any warranty. IP Lists are a property of their maintainers."

But all of them give you a much higher level of protection. I see it better to have then to miss.
I run this at home. So here i can spent a higher risk to block something unintentionally. On our business opnsense i do not run all of them. But some.

Hope this helps.
cheers armin

Morning,
the initial screenshot does point out lists of bad networks. These list contains networks and hosts.
I removed as many as i could found from the IDS/IPS section thats why i have 7 instead of the first marked 6.

The idea is to disable them on IPS so it does not use patterns at all but the firewall will block the source/destination based on the network or IP coming from the URL Alias. There is no need to scan for intrusion if the firewall will block it anyway.

Floating rule i used to select more interfaces (LAN, WAN, DMZ) instead of having them on each section.
You can check the URL table if you go to Firewall - Diagnostic - pfTables.

Hope i understood you right and this clarifies it.
cheers A

Exactly.
I used an URL table Alias and pointed to the files. Update every 8 hours.

   Blacklist_Feodo_Botnet   URL Table (IPs)   Feodo C&C recommended   https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt   
      Blacklist_FireHOL_Level1   URL Table (IPs)   FireHOL Level 1 List   https://iplists.firehol.org/files/firehol_level1.netset   
      Blacklist_FireHOL_Level2   URL Table (IPs)   FireHOL Level 2 List   https://iplists.firehol.org/files/firehol_level2.netset   
      Blacklist_FireHOL_Level3   URL Table (IPs)   FireHOL Level 3 List   https://iplists.firehol.org/files/firehol_level3.netset   
      Blacklist_Spamhaus_Drop   URL Table (IPs)   Spamhaus Drop   https://www.spamhaus.org/drop/drop.txt   
      Blacklist_Spamhaus_eDrop   URL Table (IPs)   Spamhaus Drop   https://www.spamhaus.org/drop/edrop.txt   
      Blacklist_dShield   URL Table (IPs)   dShield Drop   http://feeds.dshield.org/block.txt

Then i placed them into the floating rules and blocked incoming and with a second rule outgoing traffic on it.
But i had to disable a few as i could not browse anymore afterwards...

Hope this makes sense...
cheers A

The outsourcing was ment from IDS/IPS to Firewall to gain performance.

URLHaus is a very long list of bad networks and so the Firewall module could do the job easier than the IDS/IPS.

I got a lot of performance back when i moved those rules into the Firewall module away from IDS/IPS.
My internet speed raised 30% and is now 95% of the speed while running IDS/IPS in block action with many rules activated.

Hope this explains it better.
cheers A

Salve,

hab es umbenannt und lass das script dreimal am tag laufen.
Und ich will erlauben.

armin

Danke JeGr

hab mein NAS "vergewaltigt" und nen script per cron am laufen.

# Download and update all server ranges from AWS based on their json file
curl https://ip-ranges.amazonaws.com/ip-ranges.json | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9][0-9]?" > /volume1/Web/AWS_2021-01.txt

Damit bekomme ich die "reinen" IP Ranges und importier die dann als URL Alias.

Hallo Zusammen,

kann die OPNSense was mit JSON dateien anfangen wenn es um URL Alias geht?

https://ip-ranges.amazonaws.com/ip-ranges.json
Da wären alle Instanzen immer aktuell drinne.
DIe hätte ich gerne als URL Table.

Klappt das?

Danke
armin