You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Coming from pfSense, iurrently in the IDS ui I feel that opnsense is missing some important features.
1/- Currently it is not possible to whitelist a IDS rule related to a source or destination IP.
2/- Currenlty the alert tab display the IP of source and the IP of destination. Because opensense provide the DNS server it is possible to request the DHCP entry related to the offending IP. So it is easier to identify the Computer doing bad traffic.
3/- Alert tab is missing rule priority. On on pfsense, the alert tab display a rule priority (1 is high). This is interesting to focus on really important rules, alert of priority 1 need immediate attention while priority 3 is network traffic cleanup.
4/- And finally, for example when a packet raise an alert related to DNS (example ET INFO Observed DNS Query to .to TLD) it could be intresting to correlate the alert with DNS server logs
Describe the solution you like
So far I think I found a kind of workaround for 1 & 2:
I modify manually the file /usr/local/etc/suricata/threshold.config
#######################################################################
#suppress ET INFO File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
suppress gen_id 1, sig_id 2049201
#suppress ET INFO Clearbit Logo Query in DNS Lookup (used by Odoo)
suppress gen_id 1, sig_id 2044300
#suppress ET POLICY External IP Lookup (avast .com)
suppress gen_id 1, sig_id 2029575
#http.user_agent CCleaner Update Agent
#suppress ET DNS Query for .to TLD
suppress gen_id 1, sig_id 2027757
#threshold ET POLICY Vulnerable Java Version 1.8.x Detected (1/day)
threshold gen_id 1, sig_id 2019401, type threshold, track by_src, count 1, seconds 86400
#threshold ET POLICY Vulnerable Java Version 17.0.x Detected
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
--> It could be interesting to add a "+" mark that popup a wizard asking to whitelist the sid, with:
comment (important to keep a trace why you did this whitelisting)
a tick for threshold
if threshold: an int for count
a choice for track_by: src/dst/none
if threshold: seconds before next event
In fact the UI in /ui/ids/policy#rules is almost OK, it just miss comment, threshold functionnality and filter IP (with track_src/dst)
For point 3 I haven't any solution yet.
For point 4 I use this: If the alert (ET INFO Observed DNS Query to .to TLD) come from IP 192.168.20.73, I do grep "192.168.20.73..to A" /var/log/resolver/.
Not perfect but help understand what has been the issue. Perhaps displaying the .eve log would be sufficient.
Please find attached the UI in pfsense, that displays all missing part (priority, capacity to whitelist a rule based on source or destination IP, and DNS lookup).
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Coming from pfSense, iurrently in the IDS ui I feel that opnsense is missing some important features.
1/- Currently it is not possible to whitelist a IDS rule related to a source or destination IP.
2/- Currenlty the alert tab display the IP of source and the IP of destination. Because opensense provide the DNS server it is possible to request the DHCP entry related to the offending IP. So it is easier to identify the Computer doing bad traffic.
3/- Alert tab is missing rule priority. On on pfsense, the alert tab display a rule priority (1 is high). This is interesting to focus on really important rules, alert of priority 1 need immediate attention while priority 3 is network traffic cleanup.
4/- And finally, for example when a packet raise an alert related to DNS (example ET INFO Observed DNS Query to .to TLD) it could be intresting to correlate the alert with DNS server logs
Describe the solution you like
So far I think I found a kind of workaround for 1 & 2:
I modify manually the file /usr/local/etc/suricata/threshold.config
#######################################################################
#suppress ET INFO File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
suppress gen_id 1, sig_id 2049201
#suppress ET INFO Clearbit Logo Query in DNS Lookup (used by Odoo)
suppress gen_id 1, sig_id 2044300
#suppress ET POLICY External IP Lookup (avast .com)
suppress gen_id 1, sig_id 2029575
#http.user_agent CCleaner Update Agent
#suppress ET DNS Query for .to TLD
suppress gen_id 1, sig_id 2027757
#threshold ET POLICY Vulnerable Java Version 1.8.x Detected (1/day)
threshold gen_id 1, sig_id 2019401, type threshold, track by_src, count 1, seconds 86400
#threshold ET POLICY Vulnerable Java Version 17.0.x Detected
threshold gen_id 1, sig_id 2034817, type threshold, track by_src, count 1, seconds 86400
--> It could be interesting to add a "+" mark that popup a wizard asking to whitelist the sid, with:
In fact the UI in /ui/ids/policy#rules is almost OK, it just miss comment, threshold functionnality and filter IP (with track_src/dst)
For point 3 I haven't any solution yet.
For point 4 I use this: If the alert (ET INFO Observed DNS Query to .to TLD) come from IP 192.168.20.73, I do grep "192.168.20.73..to A" /var/log/resolver/.
Not perfect but help understand what has been the issue. Perhaps displaying the .eve log would be sufficient.
Additional context
Forum discussion with screenshots here:
(https://forum.opnsense.org/index.php?topic=38097.msg186626#msg186626)
The text was updated successfully, but these errors were encountered: