Sensei on OPNsense - Application based filtering

[lfirewall1243]

Hi,

first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.

But a integration of ClamAV or CICap would be very cool (if its possible).

[mb]

As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.

Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.

@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.

[mb]

The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription?

Hi @karl047, many thanks for trying out Sensei and glad that you've loved it.

We have plans to have Home edition. We have a two step acion plan for this:

Step 1. We're currently working on a project, where we'll be able to make Sensei available to run on low-end devices (many home users seem to be running these). Initial tests look very good, we're able to run Sensei with reporting on a low-end Qotom device (Celeron J1900 @1.6GHz, 2GB RAM). Deciso's lowest-end device has a powerful CPU compared to this. So, when we're done with this project, theoratically, we should be able to cover nearly all of the x86-based hardware out there.

Step 2. Sunny Valley sales team is working on home-user licensing. Our aim here is to make it competitive and affordable.

As for timing, current plan is to have step 1 available by mid-October. Latter one, I guess it'll be early 2020.

And one more note: we're just starting, this is going to be a hell of a solution ;)

[mb]

Hi,

first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.

But a integration of ClamAV or CICap would be very cool (if its possible).

Hi @lfirewall1243, many thanks for trying out Sensei and providing feedback.

You should be able to do this with Suricata + ClamAV. Did you try that? If so, what were you missing with the solution?

[BeNe]

Hi Murat,

will you add the Status for Sensei Service and the Elasticsearch Service also to the Dashboard in future Version ?
Would be handy to have all need Services in the status Dashboard.

A cheaper Home-License for Sensei would be awseome! Btw. How do you calculate the exact amount of IP's in Sensei ?
Because my Unique amount of Host that i see in the daily e-Mail which i recieve from sensei has a range from 61 Host up to 74 Hosts. I never have that amount on host at home  :o  Maybe it has something todo with IPv6 and the temporary IPv6 addresses ?

Thank you.

[mb]

Hi BeNe,

Yep, we'll be adding a widget to the OPNsense dashboard, it's in the roadmap.

It's the number of unique local IP addresses within a day. Since normally IPv6 is used dual-stack, we don't count IPv6 addresses for license.

To check, filter the connection reports for a day and filter TCP and UDP as the Transport Protocol.   (TCP6 and UDP6 implies IPv6, whereas TCP and UDP means IPv4 was being used)

[nullinger]

@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.

That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !

[mb]

That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !

Got it. All welcome. Fix is applied for 1.0.3. Final tests ongoing. Shipping mid next-week.

[the-mk]

what might be wrong if the OPNsense dashboard diskusage shows 29G of 115G while the status of Sensei displays a disk usage of 39 GB?
"df -h" and zabbix report about 29G disk usage...

[mb]

what might be wrong if the OPNsense dashboard diskusage shows 29G of 115G while the status of Sensei displays a disk usage of 39 GB?
"df -h" and zabbix report about 29G disk usage...

Hi @the-mk,

Thanks for reporting this. Yep, this was a bug, which got fixed with 1.0.3.

[the-mk]

thanks @mb

I'd like to ask again BeNe's question how the number of hosts is calculated - but for a different reason.

On my OPNsense host I have 7 different interfaces/networks (where one of them is the WAN interface), based on my Ubiquiti UniFi Management WebUI I have 50 different hosts connected to my switches and APs, while my daily mail report always shows a much higher number for the last 24 hours (around double the amount of hosts I have based on my UniFi information). And I do not understand why that number is so high.

Side informations:

• on one of my networks I have a PiHole DNS server where every host connects to when performing DNS operations
• some of my hosts of one network also talk to another local network too
• but most of the networks are firewalled so they can't see and talk to each other (only two networks can see the other networks too, but four of them only can talk through WAN)
• all of them are configured IPv4, IPv6 is disabled on the interfaces/networks on my OPNsense host

which information do you need besides the lines above to explain the higher number of hosts reported by Sensei?

[mb]

Dear Sensei users,

It's our pleasure to announce the availability of Sensei 1.0.3 release.
This release comes with the below feature set.

You can update your Sensei through Sensei -> Status menu or through OPNsense updater.

What is new in Sensei 1.0.3

Application control & filtering

• 22 new applications (Ad Tracking)
• Fixed an issue affecting a block 172.16.0.0/16 being recognised as public IP addresses
• Re-evaluation of policy rules when a policy is re-configured
• Fixed an issue matching policies with a Captive Portal user group
• Captive portal: provide user group information to Sensei

Reporting

• Scheduled e-mail reports: now support STARTTLS method e-mail transport security
• Scheduled e-mail reports: you can now specify a sender address for the e-mails
• Reverse DNS lookups for local IP addresses

Performance

• Output directory is now a memory-backed filesystem for higher file system performance

Cloud Threat Intelligence

• new US-West Cloud servers (Test)
• new Asia Cloud servers (Test)
• You can now request web sites being re-categorized by sharing your custom lists with Sensei team

UI/UX

• Important engine-related messages are communicated through UI
• Now working with tucan/cicada themes (thanks to opnsenseuser of Team Rebellion for OPNsense commits)
• During uninstall, you can now request to be contacted by the Sensei team about your problem
• Fixed an issue preventing to select whole application category
• Better user feedback forms

Misc

• Proper LibreSSL build and repo
• Installer now does a CPU benchmark test to see if Sensei can run successfully on your hardware
• Migrated to Python 3.7
• More reliability and performance improvements

Enjoy,

Your Sensei team.

[the-mk]

after upgrading to Sensei 1.0.3 the automatic report mail broke...
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!

[opnip]

Thx for the new version 1.0.3

"Reverse DNS lookups for local IP addresses" translates some IPs into names in "Sensei -> Reports -> Connectios" e.g.
But not all IPs are translated into there names. Manual reverse lookup of IPs via dig or nslookup are fine.

Do Sensei need more time for reverse lookups?

[mb]

after upgrading to Sensei 1.0.3 the automatic report mail broke...
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!

Hi @the-mk, sorry about that. Yes, since we changed the input method, you'd need to re-configure connection reports.

Let me write a detailed post about how we do reverse dns mapping for ip addresses.

Glad to hear that disk usage got fixed. I'll reach out to you for local host report.