Author Topic: IDS OPNsense VM (Read 2259 times)

guyp2k · « **on:** October 07, 2019, 03:23:04 am »

Before I troubleshoot my potential issues (no alerts), is my issue that I have OPNsense running in a VM?

I have enabled several rules( trojans, malware, and icmp) and generated traffic, but noting is showing under the alerts tab.

OPNsense: 19.7.4_1-amd64
VM Environment: XCP-ng 8.0.1

weust · « **Reply #1 on:** October 07, 2019, 07:47:09 am »

ISD/IPS is fine in a VM. Just make sure to follow the guide on disabling offloading.

guyp2k · « **Reply #2 on:** October 07, 2019, 02:21:20 pm »

All I am using are the snort categories given I have a subscription and I assume are not compatible? Below are the logs from IDS

suricata: [100156] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.msi' is checked but not set. Checked in 47593 and 1 other sigs

suricata: [100156] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt "; itype:134; icode:0; content:"|03|"; depth:1; offset:12; byte_test:1,>,4,0,relative; metadata:policy max-detect-ips drop; reference:cve,2010-0239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-009; classtype:attempted-admin; sid:16405; rev:6;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.protocol-icmp.rules at line 166

dcol · « **Reply #3 on:** October 07, 2019, 11:50:52 pm »

Not all snort rulesets work in Suricata. You may have hit one.

Author Topic: IDS OPNsense VM (Read 2259 times)

guyp2k

IDS OPNsense VM

weust

Re: IDS OPNsense VM

guyp2k

Re: IDS OPNsense VM

dcol

Re: IDS OPNsense VM