Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
OPNsense IPS syslog triggers IPS
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense IPS syslog triggers IPS (Read 2911 times)
dennis_u
Newbie
Posts: 28
Karma: 0
OPNsense IPS syslog triggers IPS
«
on:
December 20, 2021, 12:59:04 pm »
Our central OPNsense does IPS. During the Log4Shell analysis I realized that some JSON datagrams are not received by the syslog server (I guess to large for UDP, will try it with TCP).
But, the other point creates more concerns: if external hosts send Log4Shell http requests to my targets, Suricata finds the patterns (great) and block the requests. The OPNsense creates a syslog message with the malicious request for Splunk/Graylog. The outgoing syslog message is blocked, since Suricata finds the pattern again and blocks the request, which generates a new syslog message.
We have also a Reverse Proxy in the DMZ. The unencrypted local requests are blocked by Suricata (also great). If it catches log4shell https requests and puts it into the access log, the Splunk Forwarder sends the request to Splunk. Suricata finds the patterns, blocks them and generate a new syslog message. 93% of all log4shell connections are done by OPNsense->Syslog or RP->Syslog.
Isn't the pattern "1 request yields to 3 requests" a melting pot for DoS scenarios.
Don't get me wrong, Suricata does its job very well, but I have to find a way to exclude/trust connections. How do you solve this problem at your side?
«
Last Edit: December 20, 2021, 01:17:06 pm by dennis_u
»
Logged
OPNsense consulting, installation, configuration and care by DU Consult
carrot
Newbie
Posts: 13
Karma: 1
Re: OPNsense IPS syslog triggers IPS
«
Reply #1 on:
June 27, 2022, 02:44:11 pm »
I've had to add a pass rule from the IPS internal interface to my syslog receiver because of this.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
OPNsense IPS syslog triggers IPS