Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Would it make sense to outsource rules to firewall rule
« previous
next »
Print
Pages: [
1
]
Author
Topic: Would it make sense to outsource rules to firewall rule (Read 5488 times)
ArminF
Full Member
Posts: 205
Karma: 11
Would it make sense to outsource rules to firewall rule
«
on:
September 28, 2020, 09:34:54 pm »
Hey, just watching the webcast about the IDS/IPS.
What do you think. Would it make sense to reduce the rules of suricate by outsourcing rules to the firewall?
eDrop, UrlHaus, Feodo etc. These services which offer an IP list to import as floating rule?
https://feodotracker.abuse.ch/blocklist/
https://sslbl.abuse.ch/blacklist/
Firehol and other blocklist makers?
This should reduce the ruleset and smoothen the perfomance.
The firewall will block the IPs and the attacks (if) would be blocked at IP level.
Curious to your answers.
thanks A
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
errored out
Full Member
Posts: 171
Karma: 3
Re: Would it make sense to outsource rules to firewall rule
«
Reply #1 on:
February 02, 2021, 12:17:06 pm »
How would you import the rule to your FW? What happens to your FW when these rules change?
How could you even do this?
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Would it make sense to outsource rules to firewall rule
«
Reply #2 on:
February 02, 2021, 01:22:58 pm »
The outsourcing was ment from IDS/IPS to Firewall to gain performance.
URLHaus is a very long list of bad networks and so the Firewall module could do the job easier than the IDS/IPS.
I got a lot of performance back when i moved those rules into the Firewall module away from IDS/IPS.
My internet speed raised 30% and is now 95% of the speed while running IDS/IPS in block action with many rules activated.
Hope this explains it better.
cheers A
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #3 on:
February 02, 2021, 02:04:19 pm »
I agree it would make sense to move them and you would have better performance... but how do you do that exactly? I assume with an alias and set to update x number of hours? Please can you clarify?
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Would it make sense to outsource rules to firewall rule
«
Reply #4 on:
February 02, 2021, 02:18:54 pm »
Exactly.
I used an URL table Alias and pointed to the files. Update every 8 hours.
Blacklist_Feodo_Botnet URL Table (IPs) Feodo C&C recommended
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Blacklist_FireHOL_Level1 URL Table (IPs) FireHOL Level 1 List
https://iplists.firehol.org/files/firehol_level1.netset
Blacklist_FireHOL_Level2 URL Table (IPs) FireHOL Level 2 List
https://iplists.firehol.org/files/firehol_level2.netset
Blacklist_FireHOL_Level3 URL Table (IPs) FireHOL Level 3 List
https://iplists.firehol.org/files/firehol_level3.netset
Blacklist_Spamhaus_Drop URL Table (IPs) Spamhaus Drop
https://www.spamhaus.org/drop/drop.txt
Blacklist_Spamhaus_eDrop URL Table (IPs) Spamhaus Drop
https://www.spamhaus.org/drop/edrop.txt
Blacklist_dShield URL Table (IPs) dShield Drop
http://feeds.dshield.org/block.txt
Then i placed them into the floating rules and blocked incoming and with a second rule outgoing traffic on it.
But i had to disable a few as i could not browse anymore afterwards...
Hope this makes sense...
cheers A
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #5 on:
February 02, 2021, 11:28:19 pm »
It does make sense but how did you determine those lists match up to the arrows in your original screenshot? Also for example there are 7 lists but 6 items in the screenshot you put an arrow next to. I am not clear how you are determining these lists match those checkable items.
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Would it make sense to outsource rules to firewall rule
«
Reply #6 on:
February 03, 2021, 07:58:29 am »
Morning,
the initial screenshot does point out lists of bad networks. These list contains networks and hosts.
I removed as many as i could found from the IDS/IPS section thats why i have 7 instead of the first marked 6.
The idea is to disable them on IPS so it does not use patterns at all but the firewall will block the source/destination based on the network or IP coming from the URL Alias. There is no need to scan for intrusion if the firewall will block it anyway.
Floating rule i used to select more interfaces (LAN, WAN, DMZ) instead of having them on each section.
You can check the URL table if you go to Firewall - Diagnostic - pfTables.
Hope i understood you right and this clarifies it.
cheers A
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #7 on:
February 03, 2021, 02:48:09 pm »
Sorry I must apologize. I think I am not explaining myself correctly. Sorry for this
I am asking How you know that for example in rule set "abuse.ch/URLhaus" that this correlates to Blacklist_Spamhaus_Drop/eDrop (or some other list)? How did you determine this is the case?
For example on the about of URLhaus it states:
"URLhaus is a project operated by abuse.ch. The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.
Submissions to URLhaus are being shared with security solution providers, antivirus vendors and blacklist providers, including:
Google Safe Browsing (GSB)
Spamhaus DBL
SURBL
"
It does not state how these providers are implementing the data.
So while I do understand and agree the overall method that moving these to firewall rules would be more efficient, I am not clear the process of determining how to achieve this, and ensure it is 100% accurate.
Hope this makes sense.
P
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Would it make sense to outsource rules to firewall rule
«
Reply #8 on:
February 03, 2021, 03:34:38 pm »
Well, ok i think i can follow you.
So about having source doubled in the URL Alias. Here i can say that the firewall can handle much more tables (networks and hosts) than the IDS/IPS even when you have double entries in different tables. If the hardware is scaled enough it is not a problem at all. I do run an i7 CPU with 32GB memory. Usage is about 5 to 10%.
About these Services (Spammhaus, Urlhaus, dShield) you have to "kind of trust" what they are doing by listing these network in their block lists. You cannot ensure that they are always accurate nore up to date. But to be honest.. You have to this with OPNSense as well
If you check
https://www.spamhaus.org/organization/
for example. They offer their service for a quite long time. Of course everyone can make mistakes by listing something which might not need to be listed and so blocked.
FireHol is a collection of some if the services and they state "This site is provided as-is, without any warranty. IP Lists are a property of their maintainers."
But all of them give you a much higher level of protection. I see it better to have then to miss.
I run this at home. So here i can spent a higher risk to block something unintentionally. On our business opnsense i do not run all of them. But some.
Hope this helps.
cheers armin
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #9 on:
February 03, 2021, 11:19:04 pm »
Hi Armin,
I am still asking how you know what IP's correlate to what lists.
EG: abuse.ch/URLhaus = ?
How do you determine what IP lists make up this ruleset?
Please clarify.
Kind regards
Pete
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Would it make sense to outsource rules to firewall rule
«
Reply #10 on:
February 04, 2021, 07:24:58 am »
Morning Pete,
please forgive me this back and forward..
So let's take out an IP assuming it was blocked and you would need to check if it is somewhere in a block list.
https://www.spamhaus.org/drop/drop.txt
-> in this list there is the network 46.102.190.0/24 ; SBL493880 --> we take out the
46.102.190.100
which would be in the network /24.
You have imported the list through an URL Tables in your aliases.
Blacklist_Spamhaus_Drop URL Table (IPs) Spamhaus Drop
https://www.spamhaus.org/drop/drop.txt
Firewall shows drops/blocks for 46.102.190.100. If you set a category on your Blacklist drops the firwall will tag them and show the category as label.
Here you can navigate to Firewall -> Diagnostic -> pfTable and select the Blacklist_Spamhaus_Drop list.
In there you can search for the IP or the network. So 46.102.190.x
The result should show you the included network.
Actually you could merge your lists into one URL table by adding all the links into one Alias.
The List will get bigger but it should work as well. You then would need to check only one list.
I attach some screenshot.
Pete, i hope this helps.
We could have a call if you want. Drop me a PM.
cheers armin
«
Last Edit: February 04, 2021, 07:28:10 am by ArminF
»
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #11 on:
February 04, 2021, 10:56:17 pm »
Might have to because I am not clearly explaining my issue.
I understand completely what you are doing and why and even how.
The part I do not understand is step 1 - how do you ascertain what IP blocklist matches what suricata rulesets.
This part is not explained anywhere in your post.
eg:
You are using this list:
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
this list contains # END 129 entries
This list is on that same page:
https://feodotracker.abuse.ch/downloads/feodotracker.rules
# END 332 entries
How did you determine that ipblocklist_recommended.txt matches abuse.ch/Feodo Tracker? This is not explained.
Pete.
«
Last Edit: February 04, 2021, 11:05:50 pm by allebone
»
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #12 on:
February 05, 2021, 02:56:42 pm »
Hey Armin,
Thanks for taking my call, you helped clear up what was happening so I understand better now
As I mentioned I am also keeping a blocklist if you are interested in taking a look:
https://github.com/pallebone/StrictBlockPAllebone
Stay safe, and thanks again
Kind regards
Pete
Logged
TomK
Newbie
Posts: 7
Karma: 0
Re: Would it make sense to outsource rules to firewall rule
«
Reply #13 on:
February 07, 2021, 06:26:15 pm »
I realized about a 50% increase in speed by doing this.
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Would it make sense to outsource rules to firewall rule
«
Reply #14 on:
February 07, 2021, 07:48:10 pm »
This entire post actually makes me think suricata is crap and Im better off with block rules and sensei.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Would it make sense to outsource rules to firewall rule