Configuration of OPNsense Intrusion Detection and Intrusion Prevention

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

The Open Source Firewall Distribution OPNsense offers a variety of opportunities to secure the network. These functions also include an Intrusion Detection System as standard. It is based on the software Suricata and is already pre-installed. You can easily activate and administrate this function in the webinterface of the OPNsense firewall. This article shows the activation and setup of an Intrusion Detection System based on OPNsense 24.7.

Function types

The software Suricata, on which the OPNsense Intrustion Detection System is based, offers different operating modes:

  • IDS mode (Intrusion Detection): means there is an alert for attacks
  • IPS mode (Intrusion Prevention): means not only alerting but also blocking attacks

Configuration via OPNsense webinterface

As usual with OPNsense the configuration of IDS and IPS takes place entirely in the web interface.

Activation of Intrusion Detection

The Intrusion Detection system is activated in a few steps. This is done in the menu Services → Intrusion Detection → Administration and its tabs.

  • Go to the OPNsense web interface and select Services → Intrusion Detection.
    Go to the OPNsense web interface and select Services → Intrusion Detection.
  • After this, go to Administration.
    After this, go to Administration.
  • Now, the tab Settings is shown.
    Now, the tab Settings is shown.
  • Set the check mark at Enabled.
    Set the check mark at Enabled.
  • In the line Pattern matcher, there are different selection options. Select Hyperscan for Intel systems and Aho-Corasick, "Ken Steele" variant for AMD systems .
    In the line Pattern matcher, there are different selection options. Select Hyperscan for Intel systems and Aho-Corasick, "Ken Steele" variant for AMD systems .
  • Select the interface on which the IDS should listen.
    Select the interface on which the IDS should listen.
  • Confirm with Apply.
    Confirm with Apply.

Selection and activation of rules

In this tab, the rules can be downloaded and the state of the downloaded and activated rules can be viewed.

  • Switch to the tab Download.
    Switch to the tab Download.
  • The check boxes must be updated for the desired rules and after this, click on Enable selected.
    The check boxes must be updated for the desired rules and after this, click on Enable selected.
  • The previously selected rules are shown as Enabled.
    The previously selected rules are shown as Enabled.
  • Scroll down and click on Download & Update Rules. Now, the rules are downloaded and updated.
    Scroll down and click on Download & Update Rules. Now, the rules are downloaded and updated.
  • The rules are downloaded.
    The rules are downloaded.
  • All desired rules were downloaded.
    All desired rules were downloaded.

Tab Rules

This tab lists all downloaded rules in detail. There are filter options for searching and you can deactivate individual rules.

  • List of rules.
    List of rules.

Tab user defined

In this tab, you can define your own rules.

  • Click on the + button.
    Click on the + button.

Tab alerts

This tab lists all alerts of IDS/IPS.

  • The alerts are listed here.
    The alerts are listed here.

Tab schedule

In this tab, cronjobs for a periodic update of the rules can be created. This is a quite important step, as the rules must be updated to guarantee protection against attacks.

  • Click on the tab Schedule.
    Click on the tab Schedule.
  • The OPNsense webinterface jumps from the IDS menu to System → Settings → Cron and a cronjob template for updating the IDS rules is displayed. Adjust the settings and set the check mark at enabled.
    The OPNsense webinterface jumps from the IDS menu to System → Settings → Cron and a cronjob template for updating the IDS rules is displayed. Adjust the settings and set the check mark at enabled.
  • In this example, the standard rate is updated every hour. Click on Save.
    In this example, the standard rate is updated every hour. Click on Save.
  • Click on Apply. The cronjob is now active.
    Click on Apply. The cronjob is now active.

Activation of Intrusion Prevention mode

The mode can be changed from a clear attack recognition and alarming (IDS) to attack prevention (IPS). It is useful to activate the IDS mode at first and to observe the logs. False positives may also occur.

  • In the tab Settings, activate the checkbox at IPS mode under System → Services → Intrusion Detection → Administration.
    In the tab Settings, activate the checkbox at IPS mode under System → Services → Intrusion Detection → Administration.
  • Click on Apply.
    Click on Apply.
  • The Promiscuous mode is helpful if you have an IPS connection with VLANs on the desired interface. The IPS then listens on the physical interface.
    The Promiscuous mode is helpful if you have an IPS connection with VLANs on the desired interface. The IPS then listens on the physical interface.
  • In the menu, switch to the left to Policy.
    In the menu, switch to the left to Policy.
  • Click on + to add a new policy.
    Click on + to add a new policy.
  • Now, you can select the rulesets and set actions.
    Now, you can select the rulesets and set actions.
  • Check the desired rulesets.
    Check the desired rulesets.
  • Specify the action.
    Specify the action.
  • After this, click on Save.
    After this, click on Save.
  • Click on Apply.
    Click on Apply.

Configuration files

This paragraph shows several interesting configuration folders and files for information purposes. The configuration is made in the webinterface.

Suricata configuration folder

You can find the Suricata configuration folder at OPNsense under /usr/local/etc/suricata. 

root@lesv4:/usr/local/etc/suricata # ls -la
total 181
drwxr-xr-x   4 root wheel    17 Aug 28 09:16 .
drwxr-xr-x  44 root wheel   133 Aug 28 08:45 ..
-rw-r--r--   1 root wheel  3882 Aug 28 09:23 classification.config
-rw-r--r--   1 root wheel  3327 Jul 22 22:54 classification.config.sample
-rw-r--r--   1 root wheel    88 Aug 28 09:23 custom.yaml
-rw-r-----   1 root wheel   193 Aug 28 12:00 installed_rules.yaml
drwxr-x---   2 root wheel     8 Aug 28 09:23 opnsense.rules
-rw-r--r--   1 root wheel  1376 Aug 28 09:23 reference.config
-rw-r--r--   1 root wheel  1375 Jul 22 22:54 reference.config.sample
-rw-r--r--   1 root wheel     0 Aug 28 09:23 rule-policies.config
-rw-r--r--   1 root wheel   230 Aug 28 09:23 rule-updater.config
drwxr-x---   2 root wheel    10 Aug 28 12:00 rules
-rw-r--r--   1 root wheel   195 Aug 28 09:23 rules.config
-rw-r--r--   1 root wheel 82357 Aug 28 09:23 suricata.yaml
-rw-r--r--   1 root wheel 85797 Jul 22 22:54 suricata.yaml.sample
-rw-r--r--   1 root wheel  1643 Jul 22 22:54 threshold.config
-rw-r--r--   1 root wheel  1643 Jul 22 22:54 threshold.config.sample

root@OPNsense:/usr/local/etc/suricata/opnsense.rules #

root@lesv4:/usr/local/etc/suricata # cd opnsense.rules/ 

root@lesv4:/usr/local/etc/suricata/opnsense.rules # ls -la
total 4984
drwxr-x---  2 root wheel        8 Aug 28 09:23 .
drwxr-xr-x  4 root wheel       17 Aug 28 09:16 ..
-rw-r-----  1 root wheel       97 Aug 28 12:00 OPNsense.rules
-rw-r-----  1 root wheel      758 Aug 28 12:00 abuse.ch.feodotracker.rules
-rw-r-----  1 root wheel  1880145 Aug 28 12:00 abuse.ch.sslblacklist.rules
-rw-r-----  1 root wheel    14271 Aug 28 12:00 abuse.ch.sslipblacklist.rules
-rw-r-----  1 root wheel 17863053 Aug 28 12:00 abuse.ch.threatfox.rules
-rw-r-----  1 root wheel 26582872 Aug 28 12:00 abuse.ch.urlhaus.rules

Contents of a blocklist

In the following, the beginning of a blocklist is shown as example. You can find these files under /usr/local/etc/suricata/opnsense.rules. 

root@lesv4:/usr/local/etc/suricata/opnsense.rules # head abuse.ch.urlhaus.rules
################################################################
# abuse.ch URLhaus IDS ruleset (Suricata only)                 #
# Last updated: 2024-08-28 11:53:05 (UTC)                      #
#                                                              #
# Terms Of Use: https://urlhaus.abuse.ch/api/                  #
# For questions please contact urlhaus [at] abuse.ch           #
################################################################
#
# url
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3132684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.23.231"; depth:13; isdataat:!1,relative; metadata:created_at 2024_08_28; reference:url, urlhaus.abuse.ch/url/3132684/; classtype:trojan-activity;sid:83995784; rev:1;)


Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Activate SATA Link Power Management in OPNsense
Show article
OPNsense does not boot without monitor
Show article
OPNsense OpenVPN performance tests and results
Show article