IDS on Bridge Mode do not detect private IP attack

[hoseinTB]

hi

I am using OPNsense in bridge mode.
I want to run IDS/IPS service to protect my trusted network, from private and public ip address attacks.
but as i tested, i need to edit Suricata config file (suricata.yaml) and edit HOME_NET to reach my goal.

after some research i found out that HOME_NET config is an important suricata variable.

So
Why are you not adding HOME_NET config to Web Interface of Intrusion Detection on OPNsense ?


Thanks
Hosein

[franco]

Hi Hosein,

Bridge mode isn't one of the main use cases of a router-based firewall, so naturally we try to work on routing-based features and that works ok without HOME_NET.

However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.


Cheers,
Franco

[hoseinTB]

Hi Franco

Thanks for the reply.

so naturally we try to work on routing-based features and that works ok without HOME_NET.

as i tested in routing mode, if i my red network have Private IP Address ( 192.168.0.0/16) , i should change HOME_NET config to detect attacks from red local network.

so
Am i doing any thing wrong ?

However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.

looking forward to see this option in web interface

Regards,
Hosein

[franco]

HOME_NET, generally, is not directly used to designate our home network. It is used to filter out all noise that does not apply to HOME_NET, be it speed optimisation on noisy links or other reasons for filtering out messages that do not apply to your security requirements.

You're still fine without having set HOME_NET, unless you specifically need to exclude traffic from matching.

If you're not seeing alerts when they should come up, it's likely that IDS is misconfigured. Adjusting HOME_NET won't help in these cases. Are you sure IDS is running on the right link, seeing the right traffic?

[hoseinTB]

This is my test senario:


http://sm.uploads.im/E8OeG.png

I run IDS in firewall and enable all scan rules.

after scanning  LAN1 (192.168.1.100) with NMAP, no allert shown in firewall

but after editing HOME_NET like below:

Code: [Select]

//--Original
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
 
//--Replace with below line:
HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"

IDS give me the expected alert for scanning.

so

I think that, Suricata only detect attacks with HOME_NET destination.

is this a true?


Regards,
Hosein

[franco]

Er, thanks for the explanation. HOME_NET is set to 192.168.0.0/16, so EXTERNAL_NET is everything out of that scope. Since both networks are HOME_NET by default, the rules never match. You are right.

You can manually adjust the OPNsense file /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml to reflect your setup and make the settings permanent until the next firmware upgrade is executed.

We'll discuss providing an override to HOME_NET, but in this case I must say it's a setup issue that can be worked around either with the above fix or adjusting one network to fall outside the HOME_NET range.