Fast and easy way to protect your home and/or small office network with OPNsense

[FirstSoul]

Test it here:
http://www.eicar.org/85-0-Download.html

HTTP blocks it HTTPS not... interesting.

[mimugmail]

It's encrypted ... thats all.
You have to do SSL inspection via Proxy to do this

[jds]

Marcel_75: I have the same issue. There were some errors in the log about one of the lists, which I disabled. But still fails the eicar test. Followed everything exactly, tried multiple times. No other complaints that I can find in the logs.

Here is the log entry
suricata: [100090] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"SSL Fingerprint Blacklist: Malicious SSL certificate detected (Quakbot C&C)"; tls_fingerprint:"ff:ff:89:55:e7:62:ca:a2:7b:97:a2:2e:2c:6f:e6:d0:53:a8:f1:9a"; sid:902332065; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.sslblacklist.rules at line 2822

UPDATE: after a few hours, suricata stopped running, and threw no errors in its logs. I noticed that the opnsense howto is different (older) than this post. Importantly, it just suggests adding the WAN interface, and not LAN. So, I removed LAN, but could still download the eicar test files. Does it matter that I am using openvpn client on the firewall?

Second update: I think that it is working now. But this required setting my WAN, LAN and openvpn interfaces for IPS, setting promiscuous mode, and setting pattern to Ago-Corasick (despite having a quad core Intel CPU), and then rebooting. This gave a new message in the log file that I had not seen before:

suricata: [100098] <Notice> -- all 6 packet processing threads, 4 management threads initialized, engine started.

Which looked encouraging. The test at eicar then appears to work.  Yeah!

[xames]

how to use ips with multiwan settings and internal dns?

thanks.

[marcri]

Hi,

is it possible to change the action of multiple rules? I want to change ~1000 actions from alter to drop