Got it working- here is how.

Started by rc222, March 30, 2020, 09:27:36 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 30, 2020, 09:27:36 PM
The interface and GUI I have realized is horrible. This is why I, after reading tons of articles on suricata, the manual, all this stuff- none of it worked.

what I did is enable the rules in

<-- assumes- you DL'ed the rules you wanted and paid for or applied to any ones that required licensing. -->

Services: Intrusion Detection: Administration> rules

What I had to do is enable all the rules kind of manually.

change the view number of rules drop down to 1000, then check the "sid" check box, selecting all the 1000 rules- then scroll to the bottom click enable selected, and drop, then wait forever after its done, click apply.

for me this fixed it, the 22k rules I have and now in the logs I have all sorts of info.

bonus, go to

Services: Intrusion Detection: Administration> rules

and do a search filter for:

DELETED

these are old rules, and not used rules- but if they are enabled, I don't know if it has any effect on system resources or not- maybe someone can chime in....

anyway, I just pick 1000 again and check sid, then scroll to the bottom and click disable after that's done hit apply, then go thru the next page, if any to see if it applied the disabled to those as well.

March 31, 2020, 08:22:23 AM #1
One thing can not be "horrible" by itself, so we need to know your point of reference to see what "horrible" actually means in terms of improvement. For good measure I'm adding the docs here to avoid the situation where "something horrible" actually is just "something" that is documented in a certain way. ;)

https://docs.opnsense.org/manual/ips.html


Cheers,
Franco
March 31, 2020, 08:16:56 PM #2
Horrible= badly designed.

a hair away from going to PFsense, badly designed. More descriptive?
March 31, 2020, 09:02:53 PM #3
Ah yes, now it's all clear.  8)
April 25, 2020, 01:39:52 PM #4 Last Edit: April 25, 2020, 01:53:55 PM by l0rdraiden
Quote from: franco on March 31, 2020, 09:02:53 PM
Ah yes, now it's all clear.  8)

Well you have to admit that to facilitate flexibility and troubleshoting it doesn't help to have a few suricata options exposed in the interface, and a quite poor log management.

So Suricata (or snort) in pfsense has hundreds of settings and posibilities exposed to the interface, while in opnsense is basically the basic stuff, on and off and a few more settings

Just take a look to all the documentation related to snort and all the settings and posibilities available.
https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort

Then you have this forum full of people complaning that can not do this or that, or can not troubleshoot a problem, or can not customize a setting, or something is not working...
April 25, 2020, 03:39:22 PM #5
Let's agree to disagree. Our implementation is different for what we believe are very good reasons. People who are able to configure an ids from scratch might value hundreds of options, a lot of other people really like a machine properly configured by default. (yes, we do receive quite some feedback about the simplicity)

If functionality is missing, we're always open for discussions, as long as one can describe what it should do and why one would want it. Quite some new functions (also in our IDPS) originate from these ideas.

Our documentation has the same philosophy in mind https://docs.opnsense.org/manual/ips.html

Obviously there's always room for improvements, just open a PR to discuss changes in our docs repo (https://github.com/opnsense/docs/pulls), ask for features or contribute code (https://github.com/opnsense/core).

Best regards,

Ad
April 25, 2020, 06:49:18 PM #6 Last Edit: April 25, 2020, 06:54:06 PM by l0rdraiden
I'm not critizicing the proyect, in fact I give you all thanks for what you are doing, I was just giving my opinion after following this proyect and forum for years.

For example if you want an idea, I would love to have something like this in opnsense and I think a lot of people would appreciate it, and it will provice much more added value and "customer" value percepcion to the current IPS implementation.
https://github.com/StamusNetworks/scirius
I don't know how hard or easy would be to merge this in opnsense since it's open sourced.

Another example would be to know what you plan to do with Suricata's JA3/JA3S support, TLS/SSL and newest protocol anomaly detection capabilities... are these enable? are these in the interface available?, considering that most people doesn't offload the SSL traffic this must be a priority
April 25, 2020, 07:00:45 PM #7
Our reporting is limited indeed, we generally advise to use other solutions for statistics, most of these solutions utilise the ELK stack, which is quite heavy (in load and dependancies) and can easily be dispatched on a separate box (either using syslog or filebeat).

A lot of companies split their SIEM system (ELK or other) to another node anyway, since it often reports over multiple sources to get a better understanding how threats react. Security Onion does very interesting things in that area for example.

One can always develop a plugin for additional reporting in OPNsense, it's unlikely we'll integrate some database in core at the moment due to the various use-cases of OPNsense.
April 25, 2020, 07:06:04 PM #8
Well probably sensei will take care about this, but rule and policy management has a lot of space for improvement.
April 25, 2020, 08:07:27 PM #9
I know this is mostly opinion and preference, but may I ask why -- with a working solution at hand -- there is a need to make OPNsense into something it is not?

In my view there is a lot of grey area in the requirement to have utterly advanced fine grained GUI access to something you can set up by hand just as well or better.


Cheers,
Franco
April 26, 2020, 08:27:04 PM #10
Quote from: franco on April 25, 2020, 08:07:27 PM
I know this is mostly opinion and preference, but may I ask why -- with a working solution at hand -- there is a need to make OPNsense into something it is not?

In my view there is a lot of grey area in the requirement to have utterly advanced fine grained GUI access to something you can set up by hand just as well or better.


Cheers,
Franco

Because not everyone knows how to do it "by hand", so if you add more useful functionality to the interface is easier
April 27, 2020, 01:28:37 AM #11
I've been sort of watching this discussion and honestly I'm not sure what the positions of the various parties are, but as a general statement I will just say that I have found the intrusion detection far too difficult to understand or use.  Maybe I am just dense, but my entire background with routers prior to OPNsense was of the home variety that you can buy off the shelf at someplace like Staples or Walmart, so the whole concept of intrusion detection is pretty foreign to me, and so far I have not found anything that really makes it easy to understand, let alone use.  In fact I am not entire certain I understand exactly what intrusion detection is designed to do, above and beyond the functioning of an ordinary firewall.  So basically I'd be for simplicity.  If I could just flip a switch or check a box to enable or disable it, and not have to do anything else at all, that would be great.  If I have to do anything at all beyond that I'd be pretty lost, because I don't understand any of the options.  For every person that wants advanced options to be exposed, there are probably users who wish the whole thing was dumbed down enough that they could actually make use of this feature.
I'm a home user of OPNsense, not a networking expert.  I'd much appreciate it if you'd keep that in mind if replying to something I posted.  Many thanks!
April 27, 2020, 10:06:29 AM #12
My point is: advanced software is not easier by adding advanced GUI. Nobody will take the opportunity off your shoulders to learn whatever you are trying to do.

We simply will not spend time building something that others already have for resources we would rather like to spend elsewhere. ;)


Cheers,
Franco
April 27, 2020, 02:57:32 PM #13
And that type of response is why I will never recommend OPNsense to anyone else, and will jump ship the minute something more user-friendly come along.  What good are a bunch of advanced features if nobody can use them except for those willing and able to go through an insufferable learning curve, without even knowing where to start in this learning process?

It would be like building the world's greatest automobile but making the controls so hard to learn and use that no one could drive it except for the people who designed it and a few select others that somehow managed to decipher the controls.  Maybe there would be a niche market for them, but it's certainly not something you could in good conscience recommend to your friends or relatives that just want a nice car they can take out for an easy drive.
I'm a home user of OPNsense, not a networking expert.  I'd much appreciate it if you'd keep that in mind if replying to something I posted.  Many thanks!
April 27, 2020, 03:16:46 PM #14
I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)


Cheers,
Franco
Print
Go Up Pages1 2
User actions