Using Rulesets in Suricata IPS

[networkguy]

Thanks. I was trying to think of a scenario where you may want the rule to be active as alert for that particular host but still deny as a whole. Thinking about it more I guess if a rule comes up on legitimate traffic that may just be configured poorly you probably would want to allow that traffic for other destinations anyways but just know about it.

Last question I have. I hope When I change from IDS to IPS do I have to go to every individual rule and change them from alert to deny or is there a way to do this globally?

[elektroinside]

You could try creating custom rules targeting individual hosts, however some rule orders need to be set for it to work, and i don't think that's possible... anyway, dcol has a very nice tutorial here about custom rules: https://forum.opnsense.org/index.php?topic=7209.0

To drop entire rulesets, go to Services: Intrusion Detection: Administration: Download tab, edit each ruleset (click on the pencil) and set it to 'Change all alerts to drop action' next to the 'Input filter'. Then 'Rules' tab and click 'Apply'.

More info here about this: https://forum.opnsense.org/index.php?topic=6893.0

[jodumont]

an interesting source of information is compiled by firehol
http://iplists.firehol.org/

you could compare different list and also see which one overlaps..

[Julien]

Thank you guys for the explaination.
We are using Opnsense in front of our production where we have some servers running including exchange server.
we have enabled those rules ( emerging-netbios.rules/emerging-web_client.rules )as advies in the first post using hyperscan and IPS Mode on however the speed drops -60%

is this a IPS issue or IDS/IPS issue ?
Thank you

[jschellevis]

To determine the cause of the performance drop (probably a large ruleset containing patterns) I would suggest disabling all that contain patterns and then re-enable one by one.

Also ssl fingerprint rules are very consuming, this will likely be fixed with  Suricata 4.1 in the upcoming OPNsense 19.1 release.

So experimenting with enabling/disabling rulesets may be the best way to figure this out.

In general you need a performant multi core CPU for high throughput when a lot of pattern matching and/or ssl fingerprint rules are enabled.

[Julien]

To determine the cause of the performance drop (probably a large ruleset containing patterns) I would suggest disabling all that contain patterns and then re-enable one by one.

Also ssl fingerprint rules are very consuming, this will likely be fixed with  Suricata 4.1 in the upcoming OPNsense 19.1 release.

So experimenting with enabling/disabling rulesets may be the best way to figure this out.

In general you need a performant multi core CPU for high throughput when a lot of pattern matching and/or ssl fingerprint rules are enabled.

When i disable the IPS and keeps those rules enabled the speed drops to 100%. i beleive the issue is IPS and not rules.
i have just 3 rules enabled now and speed is 500/500 without IPS, when IPS is on speed drops to 180/180 and sometimes 200/200.
Do we really need the IPS in the productions ?
CPU we are using is Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz (4 cores) and 8GB memory.

Thank you

[peter008]

Same here.

With IPS disabled we get our full 200/50 speed, with IPS enabled (no matter how many rules activated) speed drops to about 80/30 MBit.

Any news on this?

[xmichielx]

I have the same bandwidth and use a PCengines APU2C4, the rulesets that you choose, the scan engine (Hyperscan preferably) and the networks that you have enabled in the HOME_NETWORK/LAN entry do have impact on the IPS performance and how much bandwidth is dropped.

[PSimoes]

I already have the rules on my computer but i don't no where to put them.... anyone knows?

[theennesh]

I followed all the instructions in the article https://medium.com/@parkerbenitez/opnsense-next-gen-firewall-a-deep-dive-into-suricata-integration-e5b71cb9b3b3 completely. However, in the download section, after selecting "enable selected" and then clicking on "Download & Update Rules," the rule file appeared empty, and I'm unsure why. Can anyone please help me with this issue?

[mimugmail]

Can you post a screenshot of download section?