IDS/IPS initial basic configuration with bridges

Started by zoltar, December 19, 2024, 01:06:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 19, 2024, 01:06:09 PM
Good morning, after fully configuring my network, following the advice on the forum and reading tutorials, etc... I have started to configure a protection in upper layers, unfortunately my hardware is not enough to support Zenarmor, I have installed and configured Suricata and it has been a disaster. Possibly due to some configuration that I am not doing well. I have chosen to enable it in the internal networks according to the general recommendation.
I have several questions:
1. My network is configured with several bridges to extend the vlans between several cards. Example: vlan1_salon (igc0)->bridge0->vlan1_rooms(igc1). In the system tuneables configuration, filtering is disabled on the interfaces and enabled on the bridge.
All hardware acceleration features are disabled and promiscuous mode is enabled.
In the IDS/IPS interface configuration do I have to select the bridge interface alone?
2. In the $HOME variable I have deleted the predefined networks and set all my subnets/vlans to CIDR. Do I have to define all of them including those not selected in "Interfaces"?
3. Regarding the rules. I have installed the plug-ins for ET Telemetry and Snort, but they are a huge amount for my experience. I have uninstalled both plug-ins to start with the basics, but I cannot delete the rules that had already been downloaded. I understand that enabling the open rules for ET, abuse.ch and the built-in application detection rules is enough for basic and initial protection?
Thank's in advance.
December 19, 2024, 07:13:55 PM #1
Hello again.
I have disabled all the snort rules, and I have deleted them as indicated in this post: https://forum.opnsense.org/index.php?topic=11027.0, and my system is now as shown in the image.
I had to restart the system manually because it was not responding and now it is very slow even though Suricata is disabled.
Does anyone have an explanation for what happened to me?
December 19, 2024, 07:59:05 PM #2
Can someone explain to me what happened?
December 22, 2024, 04:35:48 AM #3 Last Edit: December 22, 2024, 04:38:16 AM by jonny5
It would appear that you might have pegged your CPU and RAM and that your Rule re-building might be getting caught, not sure.

I would recommend you lean into rule control via the Policies:
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/

There is another way to go at it too, but it would involve doing a mod that can stay and using 'suricata-update' to do rule management (no GUI yet). To not distract I won't worry about sharing it other than to say it exists (and I've switched over to it, quite happy). Let me know if you are interested.

Also want to mention, I've noticed more and more admins/OPNSense router users setting up Bridges to join their subnets/interfaces and I haven't had to do that. It is interesting to me as the Bridge is spoken of as non-very-high-performance and IMHO as seems unnecessary, I'd recommend not using it. Would certainly hear someone tell me why it is necessary (and I'm learning L2 doesn't maybe propagate without a Bridge but often isn't necessary, so, depends on need?).
December 22, 2024, 11:25:37 AM #4
Thank you very much for the reply. I had to restore the backup from a week ago.
I did not configure the rules by hand, I only tried to delete the Snort ones because I thought that the default ones and the ET Telemetry ones were enough.
Although IPS was enabled, I did not have any rules configured to reject packets, only alert.
It seems that the problem could be, as you say, in the bridges. Once I restored the backup I noticed in the logs that packets are filtered at the interface level, and I understand that this should not happen with my configuration:
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface runtime 1
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. runtime 0

The strange thing is that it didn't recover when disabling IDS and uninstalling, even restoring the offline backup and discarding the installation I have continued having problems, you are right it seems to have to do with the ARP tables, although there were no erroneous entries when cleaning them in the firewall and the switches started to work. But it has been working for months without problems, the only difference is that before enabling IDS I updated to version 24.7.11_2.
The need to use the bridges was because in an old commercial firewall that I had for a while to learn, I had it configured like that and I had no problems, but I think I will configure differentiated vlans and remove the bridges.
Thanks anyway. Happy holidays to everyone.
P.S.: I have read how to use suricata-updates, thanks, but I wanted to start with the policies, but I think I will reconfigure the entire network first.
Print
Go Up Pages1
User actions