"Recent posts
#1
Intrusion Detection and Prevention / Pcaps, Traffic, and option 9 c...
Last post by someone - Today at 05:52:52 AMHave you noticed they dont match
Traffic is missed except for pcap
I mean a real pcap not the short gui generated one
Traffic is missed except for pcap
I mean a real pcap not the short gui generated one
#2
25.7, 25.10 Series / Re: Looking for testers Q-Feed...
Last post by passeri - Today at 05:50:55 AMI am curious to know what to make of this.
I saw in event logs that a string of outgoing connections were attempted from one machine. The first set was to 63.141.128.3 and the second to 162.247.243.29. I tried to look up each of these in TIP (Plus licence) to receive the reply "An error occurred while searching. Please try again or contact support if the problem persists." which it did.
dig showed NXDOMAIN of course. At virustotal.com each of these addresses was flagged by the SOCRadar Abusix list as malware but clean in the other 94 analyses shown by virustotal.
Is the likely source for these a pixel in a spam message or some web page? I have spam fairly heavily controlled so such a message rarely becomes visible to execute.
Why does the threat lookup so rarely respond with information, this not being the first time it has simply said there was an error?
I saw in event logs that a string of outgoing connections were attempted from one machine. The first set was to 63.141.128.3 and the second to 162.247.243.29. I tried to look up each of these in TIP (Plus licence) to receive the reply "An error occurred while searching. Please try again or contact support if the problem persists." which it did.
dig showed NXDOMAIN of course. At virustotal.com each of these addresses was flagged by the SOCRadar Abusix list as malware but clean in the other 94 analyses shown by virustotal.
Is the likely source for these a pixel in a spam message or some web page? I have spam fairly heavily controlled so such a message rarely becomes visible to execute.
Why does the threat lookup so rarely respond with information, this not being the first time it has simply said there was an error?
#3
Intrusion Detection and Prevention / Re: Suricata logs ignoring rot...
Last post by someone - Today at 05:43:29 AMMine works the same
I keep my logs, what if something happens to your siem, a new siem would have to ingest the old logs
I remove them to storage, I try to keep the log under a GB. thats when I delete the old files.
But my pcaps are in there too.
If anyone knows a different method, feel free. Ive read the docs
I keep my logs, what if something happens to your siem, a new siem would have to ingest the old logs
I remove them to storage, I try to keep the log under a GB. thats when I delete the old files.
But my pcaps are in there too.
If anyone knows a different method, feel free. Ive read the docs
#4
Intrusion Detection and Prevention / Re: Suricata Log Settings Seem...
Last post by someone - Today at 05:33:33 AMI set my save at 400, I dont know if it will actually delete any, but I dont want that
I dont know what it means by rotation, doesnt matter daily or weekly I get same result
My logs are auto rotated by size, I can get five a day
By rotated I mean a new file is started
I dont know what it means by rotation, doesnt matter daily or weekly I get same result
My logs are auto rotated by size, I can get five a day
By rotated I mean a new file is started
#5
Intrusion Detection and Prevention / Re: How to apply drop action w...
Last post by someone - Today at 05:21:24 AMTwo ways
with a policy or by individual rule
You can change the rule to drop, go to Intrusion detection>admin>rules, enter the rule number in the search bar
Change the alert to drop
or
Use policies
Go to Intrusion detection>policy make a new policy
Leave the top action on alert, which is default
Select your whole ruleset
In the lower action change to drop
click apply
It will change all alerts to drop in that ruleset
with a policy or by individual rule
You can change the rule to drop, go to Intrusion detection>admin>rules, enter the rule number in the search bar
Change the alert to drop
or
Use policies
Go to Intrusion detection>policy make a new policy
Leave the top action on alert, which is default
Select your whole ruleset
In the lower action change to drop
click apply
It will change all alerts to drop in that ruleset
#6
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6...
Last post by Leo999 - Today at 05:10:29 AMIn my case, the OPNsense team seems to have made some changes from 25.7.5, resulting in the use of ULA in KEA DHCPv6 Server, the inability to update the lease, and the no ULA IPv6 addresses was assigned for new devices. But it is all normal if in slacc mode.
#7
25.7, 25.10 Series / Re: Looking for testers Q-Feed...
Last post by vk2him - Today at 05:04:59 AMQuote from: Q-Feeds on Today at 12:51:21 AMDear vk2him,
Thank you for your great feedback and suggestions![/list]
- Thanks, fixed it right away!
- I had a look at the reports but unfortunately couldn't reproduce this either. In our backend, which contains over 80 million IOCs, this domain doesn't exist, I also couldn't find it in the OSINT or Premium feeds. If you download the list directly in your browser, do you see the domain then? And or is there anyone else on this forum who experiences connection issues with pvoutput.org? Obviously I'm using all of our blocklists but I can connect without any issues.
- Thanks for pointing out the encoding issue, it's been fixed.
- Good idea, you can now reopen cases and also edit your initial submissions.
- The IPv6 issue is solved now. We'll reconsider the scan limits later, but for now, while we're monitoring infrastructure load, you can scan multiple IPs once per week. The allowed IPs are based on where you've connected from (via TIP login or API calls), to help prevent abuse.
- We've added direct links to the Logs and API Keys sections, great suggestion! For the Available Feeds section, we'll add a link once some new planned pages are ready.
Unfortunately, I can't assist directly with Monit configuration, but maybe someone else in the community can share some insights.
Kind regards,
David
Thanks for the reply and fixing the items I pointed out.
Regarding pvoutput.org - today I am able to connect to it, and I wasn't able to find it on the list after I downloaded it, so that's strange.
Anyway, I'm seeing something strange at the moment - my Events tab isn't showing anything and it was yesterday.
I tried browing to a site that is in the IP filter table and the livelogs show Qfeeds blocked it, however The events tab is blank? I tried this yesterday and it appeared in live logs and the events tab?
#8
Intrusion Detection and Prevention / Re: How does Suricata work on ...
Last post by someone - Today at 04:53:29 AMJust note suricata is not a firewall at present.
#9
Intrusion Detection and Prevention / Does anyone kmow how to block ...
Last post by someone - Today at 04:40:06 AMI can tell you the firewall does not work, also suricata does not work in blocking certain IPs.
How does an IP bypass the router altogether.
If you can answer without getting in trouble, if you can answer you know already.
i could go into more detail but Im trying to stay out of trouble.
I have a vague idea how they are doing that, but my question is, is there a way to stop them, block them.
Another note, its a new installed system so there is no carry overs do to any malicious bad guys
So all the planted and in planted ways to cause a connection are not relevant in that respect.
No Im not going to bad websites of any kind.
I dont use tor. or vpns, you should know about that already
Not sending encrypted messages, no dark web
How does an IP bypass the router altogether.
If you can answer without getting in trouble, if you can answer you know already.
i could go into more detail but Im trying to stay out of trouble.
I have a vague idea how they are doing that, but my question is, is there a way to stop them, block them.
Another note, its a new installed system so there is no carry overs do to any malicious bad guys
So all the planted and in planted ways to cause a connection are not relevant in that respect.
No Im not going to bad websites of any kind.
I dont use tor. or vpns, you should know about that already
Not sending encrypted messages, no dark web
#10
25.7, 25.10 Series / Re: DNS failures after upgrade...
Last post by someone - Today at 04:32:25 AMWhat browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS. You should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns. Just to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before. Then monitor your DNS, is it going where it should exactly. No deviations. Leave everything else about dns at default. If problems persist. Make sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM. If it still has wrong DNS then have to look at modem, and or operating system.
