Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS detection unreliability, not sure why - new user.
« previous
next »
Print
Pages: [
1
]
Author
Topic: IDS detection unreliability, not sure why - new user. (Read 2607 times)
scyto
Newbie
Posts: 11
Karma: 1
IDS detection unreliability, not sure why - new user.
«
on:
April 20, 2020, 06:43:50 pm »
Hi I am new, so bear with me if i seem extra stupid.
I installed opnsense yesterday for first time, configured for transparent bridging.
I installed the intrusion detection service and tested with
www.testmyids.com
and got an alert, yay!
I then installed: ET Pro Telemetry ruleset, Snort VRT registered rule set, PT rule set and Sensi (in experimental bridge mode).
I turned off sensi when I saw it was giving me a 50% throughput hit on my 1gig connection.
Now when i go to
www.testmyids.com
it isn't generating any alert events and I am unsure why.
Any suggestions?
«
Last Edit: April 21, 2020, 07:20:46 pm by scyto
»
Logged
scyto
Newbie
Posts: 11
Karma: 1
Re: IDS stopped working, not sure why - new user.
«
Reply #1 on:
April 21, 2020, 06:18:49 am »
Today I noticed that suricata was detecting threats directed to the WAN interface (rather than the bridge which is made up of LAN / WAN) QED suricata is still working
Maybe i don't understand how the allow logging works - does it log only once per signature per host - no matter how many times that signature it is hit?
Logged
scyto
Newbie
Posts: 11
Karma: 1
Re: IDS stopped working, not sure why - new user.
«
Reply #2 on:
April 21, 2020, 06:58:10 pm »
Ok, i think there are several things going on here that are contributing to breaks / unreliability
1. i have yet to verify but I think sensi modified the bridge and stopped IPS working - i tore down sensi, reset and reinstalled suricata and deleted and re-created the bridge - that helped.
2. I had poorly formed 'ANY' firewall rules on BR0, LAN and WAN. Removed WAN and LAN rules and created inbound and outbound rule on BR0 correctly.
This has increased detection, but it is still unreliable, for example if I use the "for i in {1..10}; do curl testmyids.com; done" command it generates maybe one or two alerts in inline opnsense (between CM and router).
Whereas my routers IPS detects all 10.
Not sure where to start to troubleshoot?
Logged
scyto
Newbie
Posts: 11
Karma: 1
Re: IDS detection unreliability, not sure why - new user.
«
Reply #3 on:
April 26, 2020, 05:40:13 am »
Here is example of the opnsense failing to detect packets for enabled rules.
the connection is ONT <> opsense in transparent bridge <> UDMP in NAT router.
both are doing IDS not IPS.
https://imgur.com/PzChBHk
https://imgur.com/DhWyA17
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS detection unreliability, not sure why - new user.