Messages

241

21.1 Legacy Series / Re: Suricata vs Sensei

« on: February 24, 2021, 05:07:53 pm »

I run them side by side, suricata on my WAN connections and Sensei on my LAN connections.  Suricata is doing intrusion detection/prevention so it's better suited for the WAN side.  Sensei is more client focused on it's implementation and not really designed to sit on the WAN side.

242

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 10, 2021, 05:33:57 pm »

I ended up pulling this back to the firewall itself.  Couldn't get it stable remotely.  It's def something with the update as leaving the server online with no connection to the firewall didn't produce the hangs and cpu spike.  Not sure what happened.  Maybe I'll rebuild it on remote at a later date.  Other than a lot of ram usage seems ok local.

243

21.1 Legacy Series / Re: Intrusion Detection rulesets - good/bad choices?

« on: February 10, 2021, 05:23:23 pm »

Picking and choosing is going to be tough.  Best method is to enable an entire ruleset, for me I use Proofpoint Telemetry list.  Instructions here.  https://docs.opnsense.org/manual/etpro_telemetry.html

Enabled all these rules in IDS "Alert Mode".  Monitor it for a week or so and as alerts pop up determine if they are real threats or false positives and disable those rules as needed or resolve threats if found.  Once you've went through this process set the active rules to IPS "Block Mode".  You'll still need to monitor it for a bit. 

To make life easier I recommend setting up monit.  Instructions here https://docs.opnsense.org/manual/monit.html  See (Example 3) to get suricata alerts.  Saves you having to log in constantly to monitor it. 

244

20.7 Legacy Series / Re: Can't seem to get SIP working

« on: February 06, 2021, 06:41:15 pm »

Sorry to bump an old thread.

I'm also facing the same issue, SIP being blocked by the default rule, when I run a packet capture it looks good

Code: [Select]

Interface Capture output
WAN
hn0 17:19:25.796754 IP 185.26.240.4.5060 > 188.223.75.170.5060: UDP, length 887
WAN
hn0 17:19:26.296327 IP 185.26.240.4.5060 > 188.223.75.170.5060: UDP, length 887
WAN
hn0 17:19:27.397625 IP 185.26.240.4.5060 > 188.223.75.170.5060: UDP, length 887
WAN
hn0 17:19:29.397009 IP 185.26.240.4.5060 > 188.223.75.170.5060: UDP, length 887
WAN
hn0 17:19:33.395182 IP 185.26.240.4.5060 > 188.223.75.170.5060: UDP, length 887
Did you manage to get your SIP fixed? If so how? As my SIP trunk provider gave me a SIP proxy address.

No never got it figured out.  I gave up.  And I'm at a different job now so don't have the same need. 

Sent from my IN2025 using Tapatalk

245

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 05, 2021, 02:21:39 pm »

Restarting the service appears to keep the service online.  But in a weird state.  I noticed this morning that it's like the service or the connection to it is flapping.  Each refresh of the dashboard in opnsense gives different results.  Sometimes it says service isn't running then next refresh it will be.  Sometimes reports load and sometimes they throw errors.  I don't know what happened after the 21.1 update but it's frustrating.  Might have to rebuild it.

246

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 04, 2021, 04:52:17 pm »

Hi FullyBorked,

How was it last night? Service restart worked or?

It does appear to have kept it from fully hanging up.  Will monitor it a few more nights.  Still like to know the root cause.  Looked through logs on the elastic search server but saw nothing out of the ordinary.

Sent from my IN2025 using Tapatalk

247

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 03, 2021, 03:10:03 pm »

Setup a cron job to restart the elasticsearch service every morning at 3 am as (hopefully) a stop gap.

248

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 03, 2021, 02:40:35 pm »

Anyone know how to troubleshoot what might be happening?  Maybe enable some logging or something?  Starting to get old fixing this server every day.   

249

Zenarmor (Sensei) / Re: Elasticsearch nightly cpu maxing out and hanging service

« on: February 02, 2021, 05:36:27 pm »

@FullyBorked, Is the ELK instance running on OPNsense ?

No it's remote, running on Ubuntu server. 

250

Zenarmor (Sensei) / Elasticsearch nightly cpu maxing out and hanging service

« on: February 02, 2021, 02:24:34 pm »

I've been using a remote elasticsearch server for awhile now.  It's been pretty much problem free.  Until the 21.1 update, now every night since that update, elasticsearch is pegged at 100% usage on all cores and unresponsive, requiring a force kill of the service to bring it back to life.  See screenshot, seems to be close to the same time spot each night.  Any idea's what might be running or changed in the 21.1 update that would be causing this to hang up?

251

20.7 Legacy Series / Re: Cant resolve Windows DHCP Leases Hostname using unbound.

« on: January 02, 2021, 10:36:42 pm »

Yea, can't resolve hostnames of dhcp leased windows clients. 

Sent from my IN2025 using Tapatalk

252

20.7 Legacy Series / Re: Cant resolve Windows DHCP Leases Hostname using unbound.

« on: January 02, 2021, 10:12:06 pm »

Which DNS server is windows using?

It's pointing to the opnsense box for dns.

Sent from my IN2025 using Tapatalk

253

20.7 Legacy Series / Cant resolve Windows DHCP Leases Hostname using unbound.

« on: January 02, 2021, 09:34:20 pm »

I have my opnsense handing out DHCP and serving and my DNS server via unbound.  I've enabled the option to have DHCP leases registered in DNS.  This works fine for non-windows devices, such as smart phones, IoT devices etc.  But not a single windows client is registered.  Can't seem to figure out why this is.  Anyone have any ideas?

254

Zenarmor (Sensei) / How to save dashboard layout?

« on: January 02, 2021, 06:03:38 pm »

I'm sure i'm just dumb.  But I can't for the life of me figure out how to save the dashboard after I've moved around the widgets.  Get it all setup the way I want but there isn't a save option I can find.  So if i navigate away and come back it's back to the default organization. 

EDIT: Figure it out sort of, didn't realize I could drag and drop in the add remove widgets dialog.  Just noticed it said "Sort".  However I think the intent is for them to be able to be drag and dropped.  So maybe it's just missing a save dialog when modifications are made? 

255

20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7

« on: December 02, 2020, 02:21:14 am »

Thanks for bringing this back up.  I bout forgot about it.  I've updated it a bit to better reflect my current experience.