Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Better IDS or a deny rule in firewall?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Better IDS or a deny rule in firewall? (Read 1964 times)
bazbaz
Jr. Member
Posts: 53
Karma: 2
Better IDS or a deny rule in firewall?
«
on:
October 30, 2023, 04:05:00 pm »
Hi,
I'm using Suricata to block "bad" IPs from public lists, for example "ET open/dshield" or "ET open/compromised".
I don't know if it will be better to create an alias in firewall, and a deny rule, instead of using IDS/Suricata.
I know that IDS is more expensive, but it works only after firewall filter on open ports only (it is enabled on internal interface). And I don't know how firewall works with very large alias lists as these. I don't know internals, and so I cannot understand the best way to block IPs in these lists with less resources.
Any suggestion based on internal of opnsense?
thanks
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Better IDS or a deny rule in firewall?
«
Reply #1 on:
October 30, 2023, 06:15:16 pm »
I've seen Crowdsec recently, it can create dynamic block lists for the firewall filter.
It also integrates with suricata in addition:
https://www.crowdsec.net/blog/suricata-vs-crowdsec
Logged
Hardware:
DEC740
OrwellianDenigrate
Newbie
Posts: 1
Karma: 0
Re: Better IDS or a deny rule in firewall?
«
Reply #2 on:
November 04, 2023, 01:49:51 pm »
I have been trying to get the IDS to generate the block list, to avoid having to "manually" maintain the firewall rules.
I couldn't figure out how to do it only using Suricata, and Crowdsec with default settings only blocks Suricata severity class 1 events. It doesn't seem like there is any way to use the web UI to change the metadata of Suricata rules, policies only allow you to change the action.
I ended up modifying the Crowdsec parser to filter out all events that have been dropped by Suricata, and I modified the Crowdsec scenario to ban any Suricata event regardless of the severity.
How I can use the Suricata policies to just drop anything from the compromised and attack categories, and every time the IPs are detected by the IDS they are automatically added to the firewall block list for 7 days.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Better IDS or a deny rule in firewall?