Sensei on OPNsense - Application based filtering

[mb]

Dear Sensei users,

With 1.1_3, we think it is safe to officially declare 1.1 release is out.

@opnsenseuser, we were able to add Sensei Dashboard Widget to this release.

List of new features that have been shipped with 1.1:

Better low-end device support

• Support for low-end devices with weak CPUs. Try Sensei on your Deciso A10 / APU devices. Yes! with reporting :)
• Minimum RAM requirement lowered to 2GB
• See updated Hardware Requirements: https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements

Better Security
New security features for the Premium Edition:

• Protection against malware, virus, phishing attacks which have recently came into existence, mostly within zero to one week timeframe.
• Blocking sites which utilize Dynamic DNS services. Although Dynamic DNS itself isn't malicious, it could be a sign of other problems, abuses or threats to your network's security.
• Blocking Newly registered domains which are an effective tool for threat actors. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent there via a URL from a malicious campaign.
• Blocking Newly Recovered sites. Like newly registered sites, sites which have undergone a long period silence and become recently up might be also be used by the attackers. Sites which has a good reputation history are especially used by the cyber criminals to evade reputation-based security mechanisms.
• Blocking Dead Sites, which are not actively maintained. These sites are also a good candidate for cyber criminals for launching their attacks.

More interface support

• lagg(4) and bridge(4) interface members can be protected now

New Cloud Servers Infrastructure goes live

• New less-latency cloud servers for US-West, US-East, Asia and Australia regions
• New web category/threat intelligence database
• Improved/faster cloud query mechanism
• Better availability
• Status screen now shows uptime in a prettier format

Reporting

• Reporting Performance Improvements (Reports load faster)
• Long-awaited OPNsense Dashboard Widget

Related Blog Post:

https://www.sunnyvalley.io/post/sensei-1-1-released-providing-support-for-low-end-devices-deciso-a10-opnsense-pcengines-qotom

Enjoy ;)

Your Sensei team.

[Supergiovane]

Hello.
First of all, thank you very much for this plugin.
I tried installing it on Pondesk hardware and on a Supermicro server (in a VM).
On both, i can only achieve Small II (Max 50 users).
I've a home net with more than 50 devices (homekit devices, Konnex devices, Hue bulbs, IP Phones, 3 robot cleaners, a robot mower etc...). All of this requires a gateway to be able to update software and to be controlled on cloud.

My question is: after the first 50 devices Sensei sees, what happens to the others? How can i check what are the first 50 devices handled by Sensei?

Thanks.

[marcri]

Don't use dual stack or multiple ips per device. Sensei counts every ip address and sees ~60 devices in my lan, but there are only 18 real devices ;)

[sol]

Hi there,

I have a few questions:

Custom interval selection does not let me select any date later than August 7th although the selection of 24h, 7 days, 30 days in the drop down menu does work.

Furthermore show hostnames still keeps showing ip's only although this has been added to the reverse lookups. Opnsense shows hostnams in insight.

[mb]

@Supergiovane, many thanks for trying Sensei and for your feedback. For now, we do not enforce hard limits with regard to device count. Currently, it's Ethical License. However, for memory efficiency, internal data structures are adjusted according to the deployment size, which means, if there's a sustained higher usage, it's probable that you might lose data.

@marcri, thanks for the answer. Asset Discovery is on the way ;) With Asset Discovery, Sensei will be able to associate IP addresses with a single device. This will also provide information about the specific device (Operating System, Hardware Vendor, Device Type etc.)

@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

[puddles]

I can block per host now with this update, nice.

Would you mind showing us how this works?  I have looked in the (sparse) documentation and I didn't find this per-host functionality (in the Free Edition).  I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.

I'd really love the ability to apply blocking policies per-device basis.

[mb]

I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.

I'd really love the ability to apply blocking policies per-device basis.

Hi @puddles, many thanks for trying Sensei.

What @actionhenkt is referring to is the ability to whitelist individual destination hostnames/domain names via a shortcut from Live Blocked Sessions Explorer.

You're able to create policies per ip/subnet/vlan/interface/user/group with Policy Based Filtering which is available in Premium.

We'll also be announcing Home Premium Subscription the coming week. It'll have suitable pricing for the Home users.

[opnsenseuser]

@mb
Since Sensei now also officially supports low end hardware, I have now installed it on my live environment. but it does not work if i want to block facebook for example. I have attached all settings as a screenshot. what am I doing wrong? Can it be due to the firewall rules? Unfortunately, a restart did not help either. The sensei widget says, that everything is stopped and according to sensei status, it should work. strange

see my screenshots

thx
regards rené

[mb]

Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.

[opnsenseuser]

Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.

thx the "active" folder has 122 mb. how should i send this to you?

[opnsenseuser]

Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.

i have zipped it. now it has 8 mb.

[sol]

@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.
Although the fixed intervals (15 mins, 1h, ...) show me actual data.

In regards of dns: is it maybe dnscrypt proxy which interfers here?

[opnsenseuser]

@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.

In regards of dns: is it maybe dnscrypt proxy which interfers here?

I´m using unbound with DoT.

[sol]

and you can see resolved hostnames?

[mb]

rene, i was able to reproduce the issue. thanks for the hand. 1.1_4 coming up shortly.