IDS Interfaces

[Lost_Ones]

Hello,

I am brand new to OPNsense. Coming from pfSense.

I have a few questions about the interfaces selection to use with IDS.

Couple this first:
OPNsense 22.1-amd64
FreeBSD 13.0-STABLE

I have OPNsense in a qemu/kvm with a dual nic card with each physical interface configured as a bridge, one WAN and the other LAN.

For IPS configuration I have enabled: Enabled, IPS mode, and Promiscuous mode.  I have hyperscan as my pattern, interfaces of LAN and WAN.  I have also selected several downloads and enabled them as well.
 
I have a policy that is set to the downloads, with the Action of alert, and drop with the New Action of Drop.  All else default.

I hope that the above is correct for my configuration     and if suricata works with VM br0 interfaces?

Question one:  I read that you need to have the IP of the WAN in the settings administration home networks?   Is this true?  What if you have the dd-client configured to update dynamic DNS? Otherwise how to do you keep that updated?

Question two: I am coming from pfSense with suricata so I am familiar with how 'noisy' IDS can be. I seem to see only a trickle of alerts, as where before it would have a lot of blocked session attemts in a short period of time ( I do have port forwarding, hence more alerts )

Seems to work at times, but not a constant flow of new alerts.  I have looked at the documentation, and it is not too much of a how-to, but it does make me wonder if it will work in a kvm or if I have the proper configuration.

I appreciate any insight or direction.

Best Regards,

[Lost_Ones]

UPDATE:

Seems that if I have LAN and WAN interfaces selected ( my modem is in bridge mode, and I us PPPoE ) I will see blocks with the public IP of the SRC without any IP or network listed in the 'Home Network' under administration.

I created a user rule for a site - Gibson Research "Shields Up" with an alert.  When I would run a scan, it would show in the logs. This leads me to believe that IDS is working without having to manually ( or automagically via script ) input an IP in the Home Networks.

sample logs:
2022-02-06T09:58:46.797271-0700   4294967294   allowed       4.79.142.202   443   192.168.50.70   59168   test IP from grc.com to scan    
2022-02-06T09:58:46.796621-0700   4294967294   allowed       4.79.142.202   443   192.168.50.70   59158   test IP from grc.com to scan

Agree? 

Thank you.

[franco]

Hi there,

Configuration looks sound in general. But to your questions:

PPPoE and bridge interfaces don't work with IPS. The default is to use LAN only in which case you do not have to alter home networks (hidden under advanced) unless your WAN IP is also in a private network range specified there.

In most cases WAN IPS is pre-NAT which misses most of the rules that try to match on home networks for incoming traffic. And since you will not see WAN attacks for this reason the noise level is low since none of it will hit the LAN side vs. when you set it to listen to WAN pre-firewall which will alert but firewall will drop anyway.

If you want all the noise a transparent bridge setup with all the traffic passing through might be more to your liking, see https://docs.opnsense.org/manual/how-tos/transparent_bridge.html


Cheers,
Franco

[Lost_Ones]

Hi Franco,

I am following what you are saying, I would think if I have just the LAN selected, and there was a signature that was matched, IPS would trigger on the communication from the Inside device out back?

I fully understand that the FW will catch any incoming, unsolicited request, however I have port forwards, and just want to block bad actors that may be scanning the Internet.

I really don't want all the noise, just trying to mimic the configuration that I had with pfsense.

Regards,

JC