English Forums > Intrusion Detection and Prevention
IDS questions
everfree:
Hi!
I use bridge mode (Intel 10G ix0/ix1) in pfSense, inline mode is also not working and crash. At the same time, I use ET RPO rules and syslog(alert) forward. If opnsense can made that stable in the future, I am very glad to use opnsense and request commercial-support.
franco:
Hi everfree,
o I honestly don't know anything about ix issues. It may be a driver issue. What kind of crashes are we talking about?
o We do not have a bridge mode from NIC to NIC: we use the full inline mode that you can use in conjunction with all firewall functionality.
o ET Pro rules can be integrated with the addition of a rules file description.
o Syslog support was recently added, but still needs to be added to the forwarding server settings. I expect this to land in 16.7.x the upcoming weeks.
Cheers,
Franco
everfree:
Hi franco,
o Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
o I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
o Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
o Syslog support was recently added, It's good news.
I have not test opnsense in my productions before, Maybe I can try.
Thanks!
franco:
Hi everfree,
> Because it crash about 6 months ago, i did not copy any crash logs, but most messages (as attachment) from console before crash.
That looks like a driver lockup. I do not think it's fixed, but we could always try the stock intel driver if you want.
> I'm sorry I did not make it clearly, I mean Transparent Filtering Bridge mode.
Ok, so you have a LAN and WAN? In that case, IPS is simply enabled on WAN and you have the setup you want.
> Really? I can use ET PRO rules in opnsense now? Hope ET PRO GUI and regular expression(for sid management) in the future.
Yes, we need to help with the rule description file that needs to be created, Ad recently added a new one, this is really all that's needed dropped into the correct directory:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
> Syslog support was recently added, It's good news.
Still need to work on the remote end as I said, but yes, progress. :)
If you find the time to spin up a test system I'd recommend it. The reliability of Suricata in IPS depends on the quality of the hardware as well. E.g. for Realtek NICs we've given up all hope. And RAM should be plenty, some users reported failures due to Suricata not having enough memory.
Cheers,
Franco
everfree:
Yes, I'm looking forward to Opnsense development.
For IPS on Intel 10G, I'm expecting that day's coming!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version