Guide Intrusion Detection - What rules to download ?? + Only on LAN!?

[User821]

I'm a beginner over here. I watched few videos on the subject. It appears that I should avoid download and enable certain ones and 'choose the ones I need' from what I heard. For example, I might not want to block the chat option and so on?

____
Firstly I just want to mention the only thing I enabled was the choice 'Enabled' and 'IPS mode' together with 'Hyperscan' option in dropdown menu, is this correct for home use? I also have it set to watch only on the LANs, is this enough for good protection in home use (some say that watching WAN is not needed since LAN gets all traffic anyway)?
____

I've so far chosen to download the following:

ET open/botcc   2023/09/19 19:12      
   ET open/botcc.portgrouped   2023/09/19 19:14      
   ET open/ciarmy   2023/09/19 19:14      
   ET open/compromised
ET open/dshield   2023/09/19 19:14
ET open/emerging-attack_response   2023/09/19 19:40
ET open/emerging-current_events   2023/09/19 19:40
ET open/emerging-dos   2023/09/19 19:40      
   ET open/emerging-exploit   2023/09/19 19:56      
   ET open/emerging-exploit_kit
ET open/emerging-malware   2023/09/19 19:56
ET open/emerging-phishing   2023/09/19 19:56   
ET open/emerging-worm   2023/09/19 19:56
____________

Are these downloads relevant for the home user, and what more if any should I choose?
Any other settings I should enable or custom rules/policies to add protection?

Thanks

[planetf1]

I'd be interested to hear what rules others use. My list is very similar to yours, though I used the ET Telemetry options in most cases (except emerging-events).

I too just looked through the info on the various lists and pretty much same to that very same conclusion

That being said, I'm currently undecided whether to use ids/ips at all....

[hypercyanate]

That being said, I'm currently undecided whether to use ids/ips at all....

Me too. I've watched a fair few videos of people installing it, only to come here and see a lot of comments saying it isn't really that useful for xyz reasons.

Leaves my wondering why it's included in OPNsense by default and not a plugin.

[Greg_E]

IPS still blocks stuff so is still useful, but mostly only if you have ports open to the world because the firewall normally blocks everything that didn't get requested from behind the firewall.

If you have ports open to the world, it is one more layer that might catch an attack. Layers, not a single tool.

For those that see no need, they probably shouldn't run it then. Simple, we can all get along with our choices.

Some say Zenarmor is worthless, but it is still catching stuff on my system, so one more layer for me. I also have an AV on each client, another layer.

Other layers to think about:

Crowdsec, I'm running this too

OPNsense Business has a block list similar to Crowdsec, I'll be dealing with this when I get my production firewall finished, bought 3 years of business

Zenarmor paid has some features that extend their capability, I'm still on free but thinking about paying for the extra stuff, looking at budgets and what I need to spend to close out the year.

Layers, put as many as you can afford and as many as your hardware will allow between you and attackers. But again, mostly valuable if you have ports open to the world, otherwise all this stuff loses importance and you might as well just run PiHole to filter your DNS and keep ads out with a commercial home router.

For the record, I don't run OPNsense at home, too much work for no real benefit at home. No ports open, and behind CGnat with my provider. Also if I can no longer maintain it, someone else needs to be able to keep the internet running at home, think about the other people in your life and your real needs. You are one drunk driver away from not being able to maintain this stuff.

[spetrillo]

I only use the ET Telemetry list. I had used both it and the ET Open but there seems to be alot of overlap. I have watched alot of malicious hits on my firewall and Suricata has been great so far. I am thinking of deploying Zenarmor at some point but not yet.

[spetrillo]

You also might want to look at GeoIP blocking with Maxmind. I literally have turned off every country, except the US and Canada. Some IPs still sneak through but Suricata catches those.