Topics

1

Intrusion Detection and Prevention / Suricata GUI feature requests

« on: September 09, 2022, 09:08:39 pm »

Hello,

I have a GUI adjustment feature request. Currently using OPNSense 22.7.4.
I'm unsure if this is the right place. If not, feel free to educate me so I can move this to the right channel!

I started whitelisting Suricata rules, but after a while it gets confusing.

Under the "Administration -> Rules", there are great information listed by default.
When opening the "pencil" on a rule, we get even more details on a specific rule. Superb!

Under "Policy -> Rule adjustments", we don't see much. The list only shows the ID number of the rule without description. The "Pencil" there only shows if enabled and the action, but nothing more. We then need to crosscheck the rules from the Administration -> Rules menu. Very tedious

Can we make it so the "Rule Adjustment" menu gets the same details as the "Administration Rules" one?
I have included an image to (poorly) illustrate my point.

I am also asking, if possible, to add a "Description" text field to the Rule Adjustments, so we can enter a reason for messing with the rule. Basically the same idea as the "Description" field already attached to the policies.
In my organisation, we need to justify any whitelisting. This field would prevent me from having a separate documentation.

Thanks!

2

Intrusion Detection and Prevention / How to manage rules, policies and general guidance to live with Suricata?

« on: September 08, 2022, 08:42:56 pm »

Hello folks,

Total n00b here, learning fast. I just want to share what I wished I knew from the start.

I have installed and configured Suricata in IPS mode on my OPNSense box.
I see Alerts, can drop by rule and all. It works.

But now, I want to "block the bad things".
I thought installing ET Pro and setting IPS ON would do the trick.

I saw many alerting Alerts, but no drops.
I then played with Policies, and figured that a small number of rules (about 10%) are already at "drop", only the real bad ones.

What one can do is enable SETS of Rules.
Keep in mind, there are ~86000 rules as of late 2022 if you download all the packages.
Changing Alert to Drop manually on all of them is not an option.
What you can do is create a new Policy that states for each pertinent rulesets that the default "alert" rules are now "drop".

For instance, I want to block all things tor. I created a policy with ruleset = tor.rules, action=Alert, and new Action = drop.
Now, all the Alerts go straight to drop for that category.

I am now playing with ALL alerts -> Drop, and whitelisting genuine use cases. There are a lot of false positives, but it's manageable so far.
When I see a drop that should have been totally fine (I saw a drop for discord.com), I click the pencil next ot hte alert and disable that rule. I wish there was a comment field to indicate the reason, but that is another thing.

Good luck!

3

22.7 Legacy Series / os-ddclient needs a way to test new config

« on: August 11, 2022, 01:56:51 pm »

I just did a new install, my site relies on FreeDNS to point the VPN to the facility.

os-ddclient does not provide a way to check if the config works. It needs an "Update IP now" button so we have feedback in the log, without pulling the ethernet jack!

Also... do someone know how to trigger the ddclient update manually? I really want to test this out before I go on vacation and it breaks while I'm miles away.