Which IDS IPS rules do you prefer

[Marinoz]

Which IPS/DPS rukes do all you prefer? Im a newbie btw

[Patrick M. Hausen]

None. IDS/IPS is snake oil.

[Marinoz]

First why you look like tecak lol and secondly why do you say that?

[Patrick M. Hausen]

https://forum-opnsense-org.translate.goog/index.php?topic=39446.msg193260&_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp#msg193260

[meyergru]

Patrick is right on the money with this opinion.

Think of it this way: Just out of caution, you would have to activate all IDS rules first, just in case any trojan or virus exhibits a behaviour that the IDS might detect. Of course, there may be many attack patterns which are not even considered even by existing rules - how should we know?

Then, you will notice that some rules fire and cause warnings (be sure not to activate IPS yet, or else you will be offline!). Then, you will have to evaluate if a threat really exists or if it was a false alarm. In the latter case, you would have to disable that rule, because if you let it active and switch on IPS later on, it will potentially block legitimate traffic.

This a a cat-and-mouse game which you will never win, because with auto-updating rules, you may still find yourself in an uncomfortable position later. On the other hand, nobody guarantees that every threat will even be caught by this.

[Marinoz]

Well im sorry but im a newbie i cant be like "oh this traffic looks bad lets MANUALLY BLOCK IT" i want someone to do this automatically

[Patrick M. Hausen]

But your firewall already blocks everything from outside in.

Don't you trust your internal devices? I do.

Then as I wrote in that other German thread - there's blocklists and Crowdsec.

[meyergru]

What I tried to explain and what you obviously did not get is that the provided IDS/IPS rules from which you can choose have errors of first and second degree.

That means: 1) there may be things they do not catch and 2) there will be false alarms that may cripple your experience because these rules would block legitimate traffic if IPS is enabled.

The first order problems are not of your concern, since if you did not enable IPS at all, these unmitigated attacks would get unnoticed as well. However: do not expect perfect protection from an IPS.

Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?

In order to avoid this, you will have to see which false alarms occur in your specific situation, i.e. with the services you actually use. We do not know, so either you invest the time or pay someone to do it for you. There is no "one size fits all" or "automagical" approach here. You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.

If you neither want to invest the time yourself nor pay someone to do it, you are facing the question: "Do I want to risk crippling my internet connection for a mechanism I do not fully understand and which cannot reach 100% efficiency anyway?"

With Crowdsec, you may be getting the most of what you obviously want: You relay your decicions to the crowd, hoping that they have a similar use pattern as you and that the same rules are applicable for you, too. Whether that is true, depends largely on what your or others have in common w/r to the vulnerabled devices in question.

I just limit those devices to a separate VLAN, because then, I do not have to trust them.

[Marinoz]

But your firewall already blocks everything from outside in.

Don't you trust your internal devices? I do.

Then as I wrote in that other German thread - there's blocklists and Crowdsec.

No not quite i dont trust my internal devices as they are infected

[Marinoz]

What I tried to explain and what you obviously did not get is that the provided IDS/IPS rules from which you can choose have errors of first and second degree.

That means: 1) there may be things they do not catch and 2) there will be false alarms that may cripple your experience because these rules would block legitimate traffic if IPS is enabled.

The first order problems are not of your concern, since if you did not enable IPS at all, these unmitigated attacks would get unnoticed as well. However: do not expect perfect protection from an IPS.

Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?

In order to avoid this, you will have to see which false alarms occur in your specific situation, i.e. with the services you actually use. We do not know, so either you invest the time or pay someone to do it for you. There is no "one size fits all" or "automagical" approach here. You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.

If you neither want to invest the time yourself nor pay someone to do it, you are facing the question: "Do I want to risk crippling my internet connection for a mechanism I do not fully understand and which cannot reach 100% efficiency anyway?"

With Crowdsec, you may be getting the most of what you obviously want: You relay your decicions to the crowd, hoping that they have a similar use pattern as you and that the same rules are applicable for you, too.

Well i know there is no perfect protection but doesnt ids ips add a layer?

[meyergru]

Yes, this adds a layer. I quote myself:

Second order problems will be your problem when you enable IPS and then return here and ask "why does this not work"?

...

You will see that if you search the forum for questions about how suricata blocks legitimate traffic. And every single update may bring new rules along that then block something new - sometimes correctly, sometimes not.

Just try.

[Marinoz]

Nah i dont have to try because after five minutes with ips and all ids rukes on my connection gets cut and i have to reboot all services lol

[Marinoz]

I have two more questions thiugh that have nothing to do with this post but as you are online i will shoot my shot. So i run opnsense at proxmox and at the proxmox installation it asks me for a gateway. But my gateway is opnsense that runs in proxmox . Also my mini pc (server) has four ethernet ports and one of them is for accessing proxmox and the two others are lan and wan of opnsense . Does it matter if the proxmox gateway ip matches the lan ip of opnsense as they are at different ports or does it matter because they are on the same switch? Also second question. Can i use a port like opnsense lan for another vm to advertise it through the same port? Like truenas?