POLL: IPS

[AdSchellevis]

Hi Vincent,

if the test rule doesn't work, you probably have other configuration issues, you best first try in IDS mode with "Promiscuous mode" enabled.
IPS doesn't work on all network drivers (needs solid netmap support).

Best regards,

Ad

@csmall as soon as I can find some time I will look at your logfiles and share my findings.

[AdSchellevis]

ok, I received the logs from csmall and as far as I can see the alerts reported are correctly suppressed (assuming that the wan ip isn't an internal reserved subnet).

Just one example out of the list:

Code: [Select]

05/15/2017-23:39:29.080055  [**] [1:2403332:3550] ET CINS Active Threat Intelligence Poor Reputation IP group 33 [**] [Classification: Misc Attack] [Priority: 2] {TCP} EXTERNALIP:38061 -> CSMALL_WANIP:2375


Defined by:

Code: [Select]

alert ip [<long list of addresses>] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 33"; reference:url,www.cinsscore.com; reference:url,www.networkcloaking.com/cins; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403332; rev:3555;)

which should trigger when there's traffic coming from one of the external ip's in the IP reputation list and going to one of your internal networks.
Our internal networks are defined as:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

I guess someone thought it was a good idea to define the external wan addresses as internal networks, which will lead to quite some chatter.


more on suricata setup and recommended configurations https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

[csmall]

Great find Ad!

I wonder why pfsense and ipfire include the external IP's in the local subnet config.

I confirmed just now that my WAN IP is in fact listed in my HOME net config in pfsense.

After reading the link you sent, I don't understand why they have it set that way and what you are saying makes sense to me now.

So I assume if I added my WAN IP to the home subnet list in opnsense, I would see all these triggered as well, but they are likely just 'chatter' and not true intrusions.

Thank you for looking into this and I can't wait to get back on opnsense tonight.

[dcol]

I can confirm that you do see this 'chatter' when you add the WAN interface to HOME_NET, but these are real hits to the WAN side. I guess these 'hits' just never get pass the firewall, which is why you don't see them on the other interfaces. But then again, they are hits to the WAN and with IPS, you can block them at the source, so wouldn't that be better?

Since this is an older topic, I continued this conversation in thread
https://forum.opnsense.org/index.php?topic=6398.0

[xinnan]

The firewall with no open ports and no pass rules will silently drop unsolicited incoming packets.  In my opinion, that is usually best.  Now, if I had SSH running on the WAN or other service installed in opensense that listened on the WAN, then there would be a great need to have IDS checking the WAN.