From 59f254cd7a4d1b028c7b6d6c4feb4ff3f35a10ac Mon Sep 17 00:00:00 2001 From: Administrator Date: Mon, 23 Feb 2026 21:49:29 +0000 Subject: [PATCH] docs: create Netgrimoire/Network/Security/OPnSense_IDS --- Netgrimoire/Network/Security/OPnSense_IDS.md | 212 +++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 Netgrimoire/Network/Security/OPnSense_IDS.md diff --git a/Netgrimoire/Network/Security/OPnSense_IDS.md b/Netgrimoire/Network/Security/OPnSense_IDS.md new file mode 100644 index 0000000..11a48c2 --- /dev/null +++ b/Netgrimoire/Network/Security/OPnSense_IDS.md @@ -0,0 +1,212 @@ +--- +title: OpnSense +description: IDS +published: true +date: 2026-02-23T21:49:16.861Z +tags: +editor: markdown +dateCreated: 2026-02-23T21:49:16.861Z +--- + +# Suricata IDS/IPS + +**Service:** Suricata Intrusion Detection & Prevention System +**Host:** OPNsense firewall +**Interfaces:** ATT (opt1) — add WAN (igc0) while still active +**Mode:** IPS (inline blocking) +**Rulesets:** ET Open, Feodo Tracker, Abuse.ch SSL + +--- + +## Overview + +Suricata is OPNsense's built-in deep packet inspection engine. Unlike CrowdSec (which blocks based on IP reputation) and GeoIP (which blocks by country), Suricata inspects the **content** of traffic — detecting exploit patterns, malware C2 communication, vulnerability scans, and known CVE exploitation attempts in real time. + +The two systems complement each other and do not overlap: + +| Layer | Tool | What It Stops | +|---|---|---| +| IP reputation | CrowdSec | Known bad IPs from community threat intel | +| Geography | GeoIP | Traffic from blocked countries | +| Content inspection | Suricata | Malicious payloads, exploit patterns, C2 traffic | + +Suricata uses **Netmap** for high-performance inline packet processing with minimal CPU overhead. + +> ⚠ **Before enabling IPS mode:** Disable hardware offloading on your interfaces or Netmap will not function correctly. This is done in **Interfaces → Settings**. + +--- + +## Pre-requisite: Disable Hardware Offloading + +1. Go to **Interfaces → Settings** +2. Disable the following options: + - Hardware CRC + - Hardware TSO + - Hardware LRO + - VLAN Hardware Filtering +3. Click **Save** +4. Reboot the firewall + +> ✓ This is a one-time change. It has no meaningful impact on performance for home/small business use and is required for Suricata IPS mode to function. + +--- + +## Installation + +Suricata is built into OPNsense — no plugin install required. Navigate directly to: + +**Services → Intrusion Detection → Administration** + +--- + +## Configuration + +### Step 1 — General Settings + +Navigate to **Services → Intrusion Detection → Administration** + +| Setting | Value | Notes | +|---|---|---| +| Enabled | ✓ | Turns on the IDS/IPS engine | +| IPS Mode | ✓ | Enables inline blocking (not just alerting) | +| Promiscuous Mode | Leave default | Only needed for mirrored traffic setups | +| Default Packet Size | Leave default | Auto-detected | +| Interfaces | ATT, WAN | Add both while dual-WAN is active; remove WAN after migration | +| Home Networks | 192.168.3.0/24, 192.168.5.0/24, 192.168.32.0/24 | Your internal subnets — critical for rule accuracy | +| Log Level | Info | | +| Log Retention | 7 days | Adjust based on disk space | + +> ⚠ **Home Networks is critical.** Suricata rules use `$HOME_NET` and `$EXTERNAL_NET` to determine direction. If your internal subnets are not listed here, many rules will fail to trigger correctly or will produce false positives. + +Click **Apply** after setting these values. + +### Step 2 — Download Rulesets + +Navigate to **Services → Intrusion Detection → Download** + +Enable the following rulesets: + +| Ruleset | Provider | Priority | Notes | +|---|---|---|---| +| ET Open | Proofpoint Emerging Threats | 🔴 Essential | Comprehensive free ruleset — 40,000+ rules covering exploits, malware, scanning, C2 | +| Abuse.ch SSL Blacklist | Abuse.ch | 🔴 Essential | Blocks connections to malicious SSL certificates used by malware | +| Feodo Tracker Botnet | Abuse.ch | 🔴 Essential | Blocks botnet C2 IP communication | +| OSIF | OPNsense | 🟡 Recommended | OPNsense internal feed | +| PT Research | Positive Technologies | 🟡 Recommended | Additional threat intelligence | + +To enable each ruleset: +1. Find it in the list +2. Toggle the **Enabled** switch +3. Click **Download & Update Rules** at the top of the page + +> ✓ ET Open is the most important ruleset. It is maintained by Proofpoint, updated daily, and covers the vast majority of common attack patterns you will encounter. + +### Step 3 — Configure Policies + +Policies control what Suricata does when a rule matches — alert only, or drop the packet. + +Navigate to **Services → Intrusion Detection → Policy** + +**Recommended policy setup:** + +Add the following policies in order: + +**Policy 1 — Drop high-severity ET threats** +| Field | Value | +|---|---| +| Description | Drop ET High Severity | +| Priority | 1 | +| Rulesets | ET Open | +| Action | Drop | +| Severity | ≥ High | + +**Policy 2 — Alert on medium-severity (tuning period)** +| Field | Value | +|---|---| +| Description | Alert ET Medium | +| Priority | 2 | +| Rulesets | ET Open | +| Action | Alert | +| Severity | Medium | + +**Policy 3 — Drop all Feodo/Abuse.ch matches** +| Field | Value | +|---|---| +| Description | Drop Botnet C2 and SSL Blacklist | +| Priority | 1 | +| Rulesets | Feodo Tracker, Abuse.ch SSL | +| Action | Drop | +| Severity | Any | + +> ✓ Start with medium-severity rules in **alert** mode for the first 1–2 weeks. Review alerts in the log for false positives before switching to drop. High-severity rules and the abuse.ch lists are safe to drop immediately. + +### Step 4 — Apply and Verify + +1. Click **Apply** on the Administration tab +2. Navigate to **Services → Intrusion Detection → Alerts** +3. Wait a few minutes — alerts should begin populating +4. Check **Services → Intrusion Detection → Stats** to confirm traffic is being processed + +--- + +## Tuning & False Positives + +After running in alert mode for a week, review the Alerts tab. Common false positives from home lab environments include: + +- **Nextcloud sync traffic** — may trigger file transfer rules +- **Torrents/P2P** — will trigger multiple ET rules by design +- **Internal port scanning tools** — Nmap from internal hosts triggers scan rules + +To suppress a false positive rule without disabling it entirely: + +1. Note the rule SID from the alert +2. Go to **Services → Intrusion Detection → Rules** +3. Search for the SID +4. Change the rule action to **Alert** (instead of Drop) for that specific rule + +Alternatively, add a suppression in **Services → Intrusion Detection → Suppressions**: +- Enter the SID +- Set the direction (source or destination) +- Enter the IP to suppress for that rule + +--- + +## Monitoring + +### Alert Dashboard + +**Services → Intrusion Detection → Alerts** — real-time view of matched rules. + +Useful filters: +- Filter by `severity: high` to see the most critical events +- Filter by `action: drop` to see what is being actively blocked +- Filter by source IP to investigate a specific host + +### Graylog Integration + +Forward Suricata alerts to Graylog for centralized analysis: + +1. Suricata logs to `/var/log/suricata/eve.json` in EVE JSON format +2. In Graylog, add a **Beats input** or **Syslog UDP input** +3. In OPNsense **System → Settings → Logging → Remote**, add Graylog as syslog target +4. Create a Graylog stream filtering on `application_name: suricata` + +--- + +## Key Files & Paths + +| Path | Purpose | +|---|---| +| `/var/log/suricata/eve.json` | EVE JSON alert log — used by Graylog | +| `/var/log/suricata/stats.log` | Performance statistics | +| `/usr/local/etc/suricata/suricata.yaml` | Main config (managed by OPNsense UI) | +| `/usr/local/share/suricata/rules/` | Downloaded rulesets | + +--- + +## Related Documentation + +- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation +- [CrowdSec](./crowdsec) — complementary IP reputation layer +- [Additional Blocklists](./opnsense-blocklists) — Feodo, Abuse.ch, ET IP blocklists at firewall level +- [Graylog](./graylog) — centralized log target for Suricata alerts