Sensei on OPNsense - Application based filtering

[malac]

Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention

Dear Sensei users,

Issues which arose after 19.7 upgrade seem to be the result of OPNsense python 3.7 migration. Removal of unused Python 2.7 modules caused issues since they were required by some Sensei scripts.

We just released 0.8.2 addressing this. While you're upgrading to 0.8.2 missing python dependencies will be automatically installed.

Sorry for the inconvenience this might have caused.

Please feel free to share any further problems you've encountered.

Scheduled Reports are working now with 0.8.2! Thx

[abraxxa]

mb fixed the issue on my OPNSense 19.7 running Sensei 0.8.2 by dis- and enabling Cloud Reputation & Web Categorization and saving the configuration.

The /usr/local/sensei/log/active/main_20190724T000000.log logfile showed the error:

Code Select Expand

019-07-24T20:54:57 ERROR: CloudReputationNodeManager:loadNodes: cannot access file /usr/local/sensei//db/Cloud//nodes.csv: No such file or directory

[mb]

mb fixed the issue on my OPNSense 19.7 running Sensei 0.8.2 by dis- and enabling Cloud Reputation & Web Categorization and saving the configuration.

@abraxxa, thanks for your help to diagnose this.

Sensei users,

After 19.7 migration and even after you update Sensei 0.8.2, if you cannot start sensei engine, please follow these steps:

• Navigate to Sensei -> Configuration -> Cloud Threat Intel
• Disable and then enable a cloud node; you'll see "Save Changes" enabled
• Click on "Save Changes"
• Navigate to Sensei -> Status, and start Sensei Engine

This will trigger a configuration re-write and previously failed scripts will re-configure the necessary configuration files.

[thg0432]

hey @mb,

You mentioned you had some updates on potential Users/Groups due out this month...any word on that by chance?

[mb]

Hi @thg0432,

Yep. With 1.0, you'll start seeing user information being reported in reports. We can now poll users from OPNsense captive portal authentications.

On this occasion, a little update on 1.0 release schedule:

Due to 19.7 integration efforts, 1.0 release schedule got delayed by 10 days. Currently running latest integration tests. If all goes well new ETA is this Thursday.

Also you can expect to hear more on Premium Subscription and the related launch schedule later this week.

[l0rdraiden]

Will there be an option to add external sources of Thread Intelligence to sensei?

Like new URL's or IP's to block?

[mb]

Hi @l0rdraiden,

You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.

Would that work if we added a bulk list add functionality to User Defined Categories?

[Csykes27]

I am having an issue when I reboot the firewall and it reloads I get the following error and it will no longer pass traffic.

Starting elasticsearch
s: /usr/local/sensei//output/active/*.ipdr: No such file or directory

[marcri]

Hi,

SNMP-Traffic (161/UDP) seems to be categorized as Quic protocol / Streaming.


Best
Marc

[l0rdraiden]

Hi @l0rdraiden,

You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.

Would that work if we added a bulk list add functionality to User Defined Categories?

Hi @mb,

Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.
https://www.netgate.com/resources/videos/pfblockerng-on-pfsense.html

BTW the cloud threat intelligence that you add for bad sites or ip's is based on free lists or paid?

Why don't you include TSL inspection in the freemium version? at least for home use.

[malac]

Regarding pricing premium Version: are you sure it is on a monthly basis, or yearly?

[marcri]

Hi @all,

how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...

[mb]

I am having an issue when I reboot the firewall and it reloads I get the following error and it will no longer pass traffic.

@cykes, I'm reaching out to you. Let's investigate this together.

[mb]

Hi @l0rdraiden,

Sensei's Cloud Threat Intelligence is proprietary and commercial.  License permitting, we're also utilizing few lists from the community.

Many thanks for the clarification. Technically, it would be trivial for us to utilize these local lists. The thing is we need to be careful about the licenses under which these lists are distributed.

I guess if the lists are not distributed by the sensei package itself; but instead sensei utilizes already downloaded lists, this should be permissible. We'll have a look at this.

We're indeed evaluating the option to have TLS for up to some number of users.

[mb]

Hey Marc,

We'll look into SNMP/QUIC identification.

how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...

Actually, this is some roadmap item which we call "Protocol anomaly detection". With this feature, you'll be able to lock specific ports to some allowed protocols/applications.

So now, we have a POLL:

Which protocols/applications would you like implemented first?

https://www.surveymonkey.com/r/YCMNBGN