[SOLVED] So I enabled Suricata - what now?

[Patrick M. Hausen]

Hi all,

as some might be aware I am rather experienced with FreeBSD and quickly got onto the OPNsense bandwagon.

At home I have one VLAN for "everything family", all the mobile devices, the Apple TV, the NAS ... all the things that do access the Internet - but only outbound.
And I have a second VLAN for Internet facing services like the Minecraft server my son uses, two VMs running Confluence that are publicly accessible and the like.

Yesterday I booked the "ET Telemetry" subscription and enabled IDS on that second VLAN. Seems to be active, there are hundreds of rules in the UI that I could micromanage if I intended to.

But what now? The last log file entry is from yesterday reading:

Code: [Select]

2021-11-28T21:51:07 suricata[69591] [100651] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
Where in the UI am I supposed to see all those "IDS alerts"?

Kind regards,
Patrick

[chemlud]

Spoiler: It's not in -> LogFile :-D

See Services -> Intrusion Detection -> Administration and there the tab "Alerts"

If you don't really need it, it's imho currently like asking for trouble to run suricata (IPS). If interfaces go south, turn it off...


PS: VLANs need promisc mode enabled for suricata

[Patrick M. Hausen]

See Services -> Intrusion Detection -> Administration and there the tab "Alerts"

Thanks. That's where nothing is happening at the moment.

If you don't really need it, it's imho currently like asking for trouble to run suricata (IPS). If interfaces go south, turn it off...

Can't I use it in just IDS mode to get some info about what's happening with my public services?

PS: VLANs need promisc mode enabled for suricata

I understood only for IPS - IDS, too? That would explain why I don't see anything

[chemlud]

You enabled it on WAN? Long time since I set it up from scratch, but by default only a few rule sets are enabled for alert (block?) iirc...

[Patrick M. Hausen]

No, I enabled it on the VLAN that houses my public servers. Jails, VMs, ...

[chemlud]

As long as you're not hacked you will basically not see much, maybe some windows machines doing funny things or kiddies doing nonsense (not in your VLAN, I guess).

[Patrick M. Hausen]

I hoped to see kiddies trying to brute-force my public services ...

[chemlud]

...might be a question of the rule sets enabled. If you are in adventure-mode try WAN...

Start a package capture and see if there is traffic. No suspicious traffic, no alerts...

[Patrick M. Hausen]

Sorry, I don't get it - everything targeting my public IP address on port 80 or 443 will end up in the "SRV" VLAN ... and experience from my data centre at work shows that people are throwing URLs at public web servers searching for exploits 24x7 ...

I hoped Suricata would give me some live insight into what's going on?

Just checked again ... looks like it works. Without promiscuous mode. See screenshot. Someone's probing our Minecraft server.

[Patrick M. Hausen]

Yep:

Code: [Select]

organisation:   ORG-DP125-RIPE
org-name:       Dmitriy Panchenko
org-type:       OTHER
address:        Shirokaya street 1, bld. 4, apt. 15
address:        127282, Moscow, Russian Federation

That's not one of my son's friends playing Minecraft ...

[FullyBorked]

If you are protecting your server you'd want it monitoring your WAN connection not necessarily your vlan.  Since inbound and outbound traffic would still cross that interface.  This would also keep you from having to use promiscuous mode.  Although you could do both. Make sure to set your home network as well. 

Also have you created you policies? 

[Patrick M. Hausen]

If you are protecting your server you'd want it monitoring your WAN connection not necessarily your vlan.

I don't want to monitor my family network other than basic protective measures. Too much noise. Just the network with the public servers.

Also have you created you policies?

Not yet, just activated IDS. Any good link to start?

Thanks,
Patrick

[FullyBorked]

If you are protecting your server you'd want it monitoring your WAN connection not necessarily your vlan.

I don't want to monitor my family network other than basic protective measures. Too much noise. Just the network with the public servers.

Also have you created you policies?

Not yet, just activated IDS. Any good link to start?

Thanks,
Patrick

You shouldn't get much noise on the WAN interface esp if you set your home networks.  I don't and I have similar setup with a DMZ,LAN, Multi_WAN, and multiple vlans.  I have Suricata on my WAN interfaces and Sensei/Zenarmor on my internal interfaces/valans.   Also clearing up noise is part of properly tuning a IDS/IPS every system requires some tuning, if done properly you'll spend a few weeks monitoring and adjusting rules.  I've done this in my home environment and in a corp environment.  Home was much simpler lol 

I don't know of good guide on policies unfortunately.  The official doc has a brief explanation but it's pretty weak imo.  https://docs.opnsense.org/manual/ips.html

[vijvis]

Most home networks are behind a NAT. So enabling Suricata just on the WAN interface will only show traffic after the NAT which won't tell you which system inside your network was the source.

Hence the OPNSense documentation states to enable IDS/IPS on the LAN interface. The firewall already has a default deny for inbound anyway.

With public exposed things like web servers a WAF is a better choice. But probably too much for the home user to manage.

[guest31184]

If you work with VLANS, you need to enable Scuritata on the physical interface, enabling promiscous mode there and disabling all off-loading and the VLAN hardware filtering first (then reboot). I would run it on WAN physical (parent) interface and maybe you can also run it on the LAN physical interface.