Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Intrusion Detection rulesets - good/bad choices?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intrusion Detection rulesets - good/bad choices? (Read 7277 times)
jonf
Newbie
Posts: 23
Karma: 1
Intrusion Detection rulesets - good/bad choices?
«
on:
February 10, 2021, 03:13:00 pm »
I'd like to try out the Intrusion Detection feature in OPNsense but I see that there are...rather a lot of choices of different rulesets to choose from. I won't select all of them as I'd assume this would use more resources and possibly block things I don't want blocked.
Does anyone recommend any particular ruleset(s)? If it makes any difference I'm playing online games quite a lot at the moment and I have a file server which also runs torrents behind my VPN.
Logged
FullyBorked
Sr. Member
Posts: 343
Karma: 24
Re: Intrusion Detection rulesets - good/bad choices?
«
Reply #1 on:
February 10, 2021, 05:23:23 pm »
Picking and choosing is going to be tough. Best method is to enable an entire ruleset, for me I use Proofpoint Telemetry list. Instructions here.
https://docs.opnsense.org/manual/etpro_telemetry.html
Enabled all these rules in IDS "Alert Mode". Monitor it for a week or so and as alerts pop up determine if they are real threats or false positives and disable those rules as needed or resolve threats if found. Once you've went through this process set the active rules to IPS "Block Mode". You'll still need to monitor it for a bit.
To make life easier I recommend setting up monit. Instructions here
https://docs.opnsense.org/manual/monit.html
See (Example 3) to get suricata alerts. Saves you having to log in constantly to monitor it.
Logged
jonf
Newbie
Posts: 23
Karma: 1
Re: Intrusion Detection rulesets - good/bad choices?
«
Reply #2 on:
February 10, 2021, 06:11:13 pm »
OK I just picked and set up a ruleset with monit running as outlined in your post, and put it in alert mode. I'll see how it goes from here.
Thanks for the input.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Intrusion Detection rulesets - good/bad choices?