diff --git a/Netgrimoire/Network/Security/OPnSense_IDS.md b/Netgrimoire/Network/Security/OPnSense_IDS.md new file mode 100644 index 0000000..74b64a1 --- /dev/null +++ b/Netgrimoire/Network/Security/OPnSense_IDS.md @@ -0,0 +1,212 @@ +--- +title: OpnSense-IDS/IPS +description: IDS +published: true +date: 2026-02-23T21:51:41.041Z +tags: +editor: markdown +dateCreated: 2026-02-23T21:49:16.861Z +--- + +# Suricata IDS/IPS + +**Service:** Suricata Intrusion Detection & Prevention System +**Host:** OPNsense firewall +**Interfaces:** ATT (opt1) — add WAN (igc0) while still active +**Mode:** IPS (inline blocking) +**Rulesets:** ET Open, Feodo Tracker, Abuse.ch SSL + +--- + +## Overview + +Suricata is OPNsense's built-in deep packet inspection engine. Unlike CrowdSec (which blocks based on IP reputation) and GeoIP (which blocks by country), Suricata inspects the **content** of traffic — detecting exploit patterns, malware C2 communication, vulnerability scans, and known CVE exploitation attempts in real time. + +The two systems complement each other and do not overlap: + +| Layer | Tool | What It Stops | +|---|---|---| +| IP reputation | CrowdSec | Known bad IPs from community threat intel | +| Geography | GeoIP | Traffic from blocked countries | +| Content inspection | Suricata | Malicious payloads, exploit patterns, C2 traffic | + +Suricata uses **Netmap** for high-performance inline packet processing with minimal CPU overhead. + +> ⚠ **Before enabling IPS mode:** Disable hardware offloading on your interfaces or Netmap will not function correctly. This is done in **Interfaces → Settings**. + +--- + +## Pre-requisite: Disable Hardware Offloading + +1. Go to **Interfaces → Settings** +2. Disable the following options: + - Hardware CRC + - Hardware TSO + - Hardware LRO + - VLAN Hardware Filtering +3. Click **Save** +4. Reboot the firewall + +> ✓ This is a one-time change. It has no meaningful impact on performance for home/small business use and is required for Suricata IPS mode to function. + +--- + +## Installation + +Suricata is built into OPNsense — no plugin install required. Navigate directly to: + +**Services → Intrusion Detection → Administration** + +--- + +## Configuration + +### Step 1 — General Settings + +Navigate to **Services → Intrusion Detection → Administration** + +| Setting | Value | Notes | +|---|---|---| +| Enabled | ✓ | Turns on the IDS/IPS engine | +| IPS Mode | ✓ | Enables inline blocking (not just alerting) | +| Promiscuous Mode | Leave default | Only needed for mirrored traffic setups | +| Default Packet Size | Leave default | Auto-detected | +| Interfaces | ATT, WAN | Add both while dual-WAN is active; remove WAN after migration | +| Home Networks | 192.168.3.0/24, 192.168.5.0/24, 192.168.32.0/24 | Your internal subnets — critical for rule accuracy | +| Log Level | Info | | +| Log Retention | 7 days | Adjust based on disk space | + +> ⚠ **Home Networks is critical.** Suricata rules use `$HOME_NET` and `$EXTERNAL_NET` to determine direction. If your internal subnets are not listed here, many rules will fail to trigger correctly or will produce false positives. + +Click **Apply** after setting these values. + +### Step 2 — Download Rulesets + +Navigate to **Services → Intrusion Detection → Download** + +Enable the following rulesets: + +| Ruleset | Provider | Priority | Notes | +|---|---|---|---| +| ET Open | Proofpoint Emerging Threats | 🔴 Essential | Comprehensive free ruleset — 40,000+ rules covering exploits, malware, scanning, C2 | +| Abuse.ch SSL Blacklist | Abuse.ch | 🔴 Essential | Blocks connections to malicious SSL certificates used by malware | +| Feodo Tracker Botnet | Abuse.ch | 🔴 Essential | Blocks botnet C2 IP communication | +| OSIF | OPNsense | 🟡 Recommended | OPNsense internal feed | +| PT Research | Positive Technologies | 🟡 Recommended | Additional threat intelligence | + +To enable each ruleset: +1. Find it in the list +2. Toggle the **Enabled** switch +3. Click **Download & Update Rules** at the top of the page + +> ✓ ET Open is the most important ruleset. It is maintained by Proofpoint, updated daily, and covers the vast majority of common attack patterns you will encounter. + +### Step 3 — Configure Policies + +Policies control what Suricata does when a rule matches — alert only, or drop the packet. + +Navigate to **Services → Intrusion Detection → Policy** + +**Recommended policy setup:** + +Add the following policies in order: + +**Policy 1 — Drop high-severity ET threats** +| Field | Value | +|---|---| +| Description | Drop ET High Severity | +| Priority | 1 | +| Rulesets | ET Open | +| Action | Drop | +| Severity | ≥ High | + +**Policy 2 — Alert on medium-severity (tuning period)** +| Field | Value | +|---|---| +| Description | Alert ET Medium | +| Priority | 2 | +| Rulesets | ET Open | +| Action | Alert | +| Severity | Medium | + +**Policy 3 — Drop all Feodo/Abuse.ch matches** +| Field | Value | +|---|---| +| Description | Drop Botnet C2 and SSL Blacklist | +| Priority | 1 | +| Rulesets | Feodo Tracker, Abuse.ch SSL | +| Action | Drop | +| Severity | Any | + +> ✓ Start with medium-severity rules in **alert** mode for the first 1–2 weeks. Review alerts in the log for false positives before switching to drop. High-severity rules and the abuse.ch lists are safe to drop immediately. + +### Step 4 — Apply and Verify + +1. Click **Apply** on the Administration tab +2. Navigate to **Services → Intrusion Detection → Alerts** +3. Wait a few minutes — alerts should begin populating +4. Check **Services → Intrusion Detection → Stats** to confirm traffic is being processed + +--- + +## Tuning & False Positives + +After running in alert mode for a week, review the Alerts tab. Common false positives from home lab environments include: + +- **Nextcloud sync traffic** — may trigger file transfer rules +- **Torrents/P2P** — will trigger multiple ET rules by design +- **Internal port scanning tools** — Nmap from internal hosts triggers scan rules + +To suppress a false positive rule without disabling it entirely: + +1. Note the rule SID from the alert +2. Go to **Services → Intrusion Detection → Rules** +3. Search for the SID +4. Change the rule action to **Alert** (instead of Drop) for that specific rule + +Alternatively, add a suppression in **Services → Intrusion Detection → Suppressions**: +- Enter the SID +- Set the direction (source or destination) +- Enter the IP to suppress for that rule + +--- + +## Monitoring + +### Alert Dashboard + +**Services → Intrusion Detection → Alerts** — real-time view of matched rules. + +Useful filters: +- Filter by `severity: high` to see the most critical events +- Filter by `action: drop` to see what is being actively blocked +- Filter by source IP to investigate a specific host + +### Graylog Integration + +Forward Suricata alerts to Graylog for centralized analysis: + +1. Suricata logs to `/var/log/suricata/eve.json` in EVE JSON format +2. In Graylog, add a **Beats input** or **Syslog UDP input** +3. In OPNsense **System → Settings → Logging → Remote**, add Graylog as syslog target +4. Create a Graylog stream filtering on `application_name: suricata` + +--- + +## Key Files & Paths + +| Path | Purpose | +|---|---| +| `/var/log/suricata/eve.json` | EVE JSON alert log — used by Graylog | +| `/var/log/suricata/stats.log` | Performance statistics | +| `/usr/local/etc/suricata/suricata.yaml` | Main config (managed by OPNsense UI) | +| `/usr/local/share/suricata/rules/` | Downloaded rulesets | + +--- + +## Related Documentation + +- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation +- [CrowdSec](./crowdsec) — complementary IP reputation layer +- [Additional Blocklists](./opnsense-blocklists) — Feodo, Abuse.ch, ET IP blocklists at firewall level +- [Graylog](./graylog) — centralized log target for Suricata alerts diff --git a/Netgrimoire/Network/Security/OpnSense_AppInspection.md b/Netgrimoire/Network/Security/OpnSense_AppInspection.md new file mode 100644 index 0000000..dc8d464 --- /dev/null +++ b/Netgrimoire/Network/Security/OpnSense_AppInspection.md @@ -0,0 +1,159 @@ +--- +title: OpnSense +description: App Inspection +published: true +date: 2026-02-23T21:50:37.324Z +tags: +editor: markdown +dateCreated: 2026-02-23T21:50:37.324Z +--- + +# Zenarmor (NGFW) + +**Service:** Zenarmor Next-Generation Firewall +**Plugin:** os-sunnyvalley +**Tier:** Free Edition +**Host:** OPNsense firewall + +--- + +## Overview + +Zenarmor adds application-layer awareness and web filtering to OPNsense that the base firewall does not provide. Where Suricata inspects packet content for known threat signatures, Zenarmor identifies **what application or service** is generating traffic and can block or allow based on that — regardless of port. + +| Feature | Free Tier | Paid Tier | +|---|---|---| +| Layer-7 app identification | ✓ | ✓ | +| Web category filtering | Default policy only | Custom policies | +| Malware/phishing blocking | ✓ | ✓ | +| Real-time network analytics | ✓ | ✓ | +| Device tracking & alerts | ✗ | ✓ | +| Multiple policies | ✗ | ✓ | +| TLS inspection | ✗ | ✓ | + +The free tier is useful primarily for **visibility** (seeing what applications are running on your network) and **basic threat blocking** (malware, phishing, PUP domains). The analytics dashboard alone makes it worthwhile. + +> ✓ Zenarmor and Suricata can run simultaneously. They operate at different layers and do not conflict. Zenarmor handles application identity; Suricata handles content signatures. + +> ⚠ **MongoDB deprecation note:** As of September 2025, MongoDB is being deprecated as the Zenarmor database backend. Use **SQLite** when prompted during setup — it is the supported path going forward. + +--- + +## Installation + +### Step 1 — Install the Plugin + +1. Go to **System → Firmware → Plugins** +2. Search for `os-sunnyvalley` +3. Click the **+** install button +4. Wait for installation to complete +5. **Refresh the browser** — a new **Zenarmor** menu item will appear in the sidebar + +### Step 2 — Initial Setup Wizard + +Navigate to **Zenarmor → Dashboard** — this launches the setup wizard on first run. + +**Deployment Mode:** Select **Routed Mode (L3)** for standard OPNsense setups. This is correct for your configuration. + +**Database:** Select **SQLite** — do not select MongoDB (deprecated September 2025). + +**Interface:** Select **ATT (opt1)** as the primary interface. Add **WAN (igc0)** while dual-WAN is still active. + +> ⚠ Zenarmor should be applied to the **LAN-facing side** of the firewall for internal traffic inspection, or the **WAN-facing side** for inbound threat blocking. For your setup, applying it to both ATT and LAN gives the most coverage. + +**Cloud Connectivity:** Leave enabled — Zenarmor uses cloud-based category lookups for web filtering. If you want fully offline operation, this can be disabled but web filtering accuracy degrades significantly. + +Click **Complete** to finish the wizard. + +--- + +## Configuration + +### Step 3 — Security Policy + +Navigate to **Zenarmor → Security** + +Enable the following threat categories in the default policy: + +| Category | Action | Notes | +|---|---|---| +| Malware | Block | Domains known to serve malware | +| Phishing | Block | Credential harvesting sites | +| Botnet | Block | C2 communication | +| PUP/Adware | Block | Potentially unwanted programs | +| SPAM Sources | Block | Known spam infrastructure | +| Parked Domains | Block | Often used for malicious redirects | + +Leave the following as **Alert** initially (review before blocking): +- Anonymizers / Proxies — may block legitimate VPN services +- Peer-to-peer — may affect legitimate use cases + +### Step 4 — Application Control + +Navigate to **Zenarmor → Policies → Application Control** + +The free tier allows one default policy. Useful applications to consider blocking or monitoring: + +| Application Category | Recommendation | Reason | +|---|---|---| +| Cryptocurrency mining | Block | Resource theft if unauthorized | +| Remote access tools (unknown) | Alert | Unexpected remote tools are a red flag | +| Tor | Alert | Monitor — may be legitimate or evasion | +| Anonymous proxies | Block | Bypass attempts | + +### Step 5 — Web Filtering + +Navigate to **Zenarmor → Policies → Web Controls** + +In the free tier, the default policy controls all web filtering. Recommended categories to block: + +| Category | Action | +|---|---| +| Malware sites | Block | +| Phishing | Block | +| Hacking / exploit sites | Block | +| Illegal content | Block | + +Enable **Safe Search enforcement** if desired — forces Google, Bing, and YouTube into safe search mode network-wide. + +--- + +## Dashboard & Analytics + +Navigate to **Zenarmor → Dashboard** + +The dashboard provides real-time visibility into: +- **Top talkers** — which internal hosts generate the most traffic +- **Top applications** — what services are being used +- **Blocked threats** — real-time feed of blocked requests +- **Bandwidth usage** — per-host and per-application + +This is the primary value of the free tier — even without advanced policy control, the visibility into what is running on your network is significant. + +Navigate to **Zenarmor → Reports** for historical analysis and trend data. + +--- + +## Performance Notes + +Zenarmor uses deep packet inspection which adds some CPU overhead. On modern hardware (anything with i226-V NICs) this is negligible at home lab traffic volumes. Monitor CPU usage in **Zenarmor → Dashboard → System** after enabling. + +If performance degrades, you can limit Zenarmor to specific interfaces rather than all interfaces. + +--- + +## Known Limitations (Free Tier) + +- Only one web filtering policy — all devices get the same rules +- No per-device or per-group policies +- No TLS/SSL inspection — encrypted traffic is identified by SNI only +- No device inventory or unknown device alerts +- Web category database is cloud-dependent + +--- + +## Related Documentation + +- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation +- [Suricata IDS/IPS](./suricata-ids-ips) — complementary content inspection layer +- [CrowdSec](./crowdsec) — IP reputation layer diff --git a/Netgrimoire/Network/Security/OpnSense_Git.md b/Netgrimoire/Network/Security/OpnSense_Git.md new file mode 100644 index 0000000..e689d33 --- /dev/null +++ b/Netgrimoire/Network/Security/OpnSense_Git.md @@ -0,0 +1,182 @@ +--- +title: OpnSense +description: Git Integration +published: true +date: 2026-02-23T21:48:01.779Z +tags: +editor: markdown +dateCreated: 2026-02-23T21:48:01.779Z +--- + +# OPNsense Git Backup (os-git-backup) + +**Service:** os-git-backup +**Plugin:** os-git-backup +**Host:** OPNsense firewall +**Remote:** Forgejo on Netgrimoire +**Trigger:** Automatic on every config change + +--- + +## Overview + +Every change made to OPNsense — adding a firewall rule, updating an alias, changing a VPN config — modifies the underlying XML configuration file. By default there is no history of these changes. If a misconfiguration causes an outage, or if you need to audit what changed after a security incident, you have no record to work from. + +os-git-backup solves this by committing the OPNsense configuration to a Git repository automatically every time a change is saved. Each commit records exactly what changed, when, and (if configured) which user made the change. + +**Benefits:** +- Full audit trail of every configuration change +- One-command rollback to any previous state +- Offsite backup of firewall config via Forgejo → Kopia chain +- Diff view to understand exactly what a change did + +--- + +## Pre-requisite: Create Forgejo Repository + +Before installing the plugin, create a dedicated repository in Forgejo to receive the OPNsense config backups. + +1. Log into your Forgejo instance on Netgrimoire +2. Create a new repository: `opnsense-config` +3. Set visibility to **Private** — firewall configs contain sensitive network topology +4. Do not initialize with a README (the plugin will push the first commit) +5. Note the SSH clone URL: `git@git.netgrimoire.com:youruser/opnsense-config.git` + +--- + +## Installation + +### Step 1 — Install the Plugin + +1. Go to **System → Firmware → Plugins** +2. Search for `os-git-backup` +3. Click the **+** install button +4. Wait for installation to complete +5. Navigate to **System → Configuration → Backups** — a **Git** tab will appear + +--- + +## Configuration + +### Step 2 — Generate SSH Deploy Key + +The OPNsense firewall needs an SSH key to authenticate to Forgejo without a password. + +Navigate to **System → Configuration → Backups → Git** + +1. Click **Generate SSH Key** +2. Copy the displayed **public key** — you will add this to Forgejo next + +### Step 3 — Add Deploy Key to Forgejo + +1. In Forgejo, go to your `opnsense-config` repository +2. Navigate to **Settings → Deploy Keys** +3. Click **Add Deploy Key** +4. Title: `OPNsense Firewall` +5. Key: paste the public key from Step 2 +6. Enable **Allow Write Access** — the firewall needs to push commits +7. Click **Add Key** + +### Step 4 — Configure the Plugin + +Navigate to **System → Configuration → Backups → Git** + +| Setting | Value | Notes | +|---|---|---| +| Enabled | ✓ | | +| URL | `git@git.netgrimoire.com:youruser/opnsense-config.git` | SSH URL from your Forgejo repo | +| Branch | `main` | | +| Name | `OPNsense Firewall` | Author name shown in commits | +| Email | `opnsense@netgrimoire.com` | Author email shown in commits | +| SSH Private Key | (auto-populated from Step 2) | | +| Backup Interval | On change | Commits every time config is saved | + +Click **Save**. + +### Step 5 — Test the Connection + +Click **Backup Now** to trigger a manual backup. Then check your Forgejo repository — you should see an initial commit containing the OPNsense configuration XML. + +If the push fails, check: +1. The deploy key has write access in Forgejo +2. The SSH URL is correct (use SSH, not HTTPS) +3. Forgejo is reachable from the firewall — test from OPNsense shell: + ```bash + ssh -T git@git.netgrimoire.com + # Expected: Hi youruser! You've successfully authenticated... + ``` + +--- + +## What Gets Backed Up + +The plugin commits the OPNsense configuration file: + +`/conf/config.xml` + +This single file contains **everything** — interfaces, firewall rules, NAT, VPN configs, aliases, users, certificates, DHCP, DNS settings, and all plugin configurations. A restore from this file fully recreates the firewall state. + +> ⚠ The config.xml contains **hashed passwords**, **VPN private keys**, and **API credentials**. The Forgejo repository must remain private. Ensure your Forgejo instance is not publicly accessible or that this repository is explicitly private. + +--- + +## Using the Backup + +### Viewing History + +In Forgejo, navigate to the `opnsense-config` repository. Each commit represents one configuration save, with: +- Timestamp of the change +- Diff showing exactly what XML changed +- Author (OPNsense Firewall) + +### Rolling Back a Change + +If a configuration change causes problems: + +**Option 1 — Restore via OPNsense UI:** +1. In Forgejo, find the commit you want to restore +2. Download the `config.xml` from that commit +3. In OPNsense: **System → Configuration → Backups → Restore** +4. Upload the config.xml and restore + +**Option 2 — Restore via shell (if UI is unreachable):** +```bash +# SSH into OPNsense +ssh root@192.168.3.4 + +# The git repo is cloned locally — find it +find /conf -name ".git" -type d + +# Check out the previous config +cd /conf/backup # or wherever the repo is cloned +git log --oneline -10 +git checkout -- config.xml + +# Apply the restored config +/usr/local/sbin/opnsense-importer config.xml +``` + +### Diffing Changes + +To see exactly what a specific change did: + +```bash +# In Forgejo: click any commit → view the diff +# Alternatively, from the OPNsense shell: +cd +git diff HEAD~1 HEAD -- config.xml +``` + +--- + +## Integration with Kopia Backups + +Since the git repository lives in Forgejo on Netgrimoire, it is automatically included in the Netgrimoire Kopia backup chain — no additional configuration needed. The OPNsense config history is backed up offsite along with everything else. + +--- + +## Related Documentation + +- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation +- [Forgejo](./forgejo) — Git repository host on Netgrimoire +- [Kopia Backups](./kopia) — offsite backup chain