You can configure our system on different interfaces, one of the questions asked most is which interface to choose.
Since a lot of people use IPv4, usually combined with :doc:`/manual/nat`, it's quite important to use the right interface.
If your capturing traffic on a "wan" type interface, you will see only traffic "post nat", which means all traffic is
originated from your firewall and not from the actual machine behind it likely triggering the alert.
It is important to define the terms used in this document. An *Intrustion
Detection System* (IDS) watches network traffic for suspicious patterns and
can alert operators when a pattern matches a database of known behaviors. An
*Intrusion Prevention System* (IPS) goes a step further by inspecting each packet
as it traverses a network interface to determine if the packet is suspicious in
some way. If it matches a known pattern the system can drop the packet in
an attempt to mitigate a threat.
Rules for an ID[P]S system usually need to have a clear understanding about the internal network, this information is
lost when capturing packets behind nat.
The Suricata_ software can operate as both an IDS and IPS system.
Without trying to explain all the details of an IDS rule (the people at Suricata are way better in doing `that <https://suricata.readthedocs.io/en/suricata-5.0.2/rules/index.html>`__ ),
a small example of one of the ET-Open rules usually helps understanding the importance of your home network.
Choosing an interface
---------------------
You can configure the system on different interfaces. One of the most commonly
asked questions is which interface to choose. Considering the continued use
IPv4, usually combined with :doc:`/manual/nat`, it is quite important to use
the correct interface. If you are capturing traffic on a WAN interface you will
see only traffic after address translation. This means all the traffic is
originating from your firewall and not from the actual machine behind it that
is likely triggering the alert.
Rules for an IDS/IPS system usually need to have a clear understanding about
the internal network; this information is lost when capturing packets behind
NAT.
Without trying to explain all the details of an IDS rule (the people at
Suricata are way better in doing `that
<https://suricata.readthedocs.io/en/suricata-5.0.5/rules/index.html>`__), a
small example of one of the ET-Open rules usually helps understanding the
* For rules documentation: http://doc.emergingthreats.net/
ETPro Telemetry
+++++++++++++++
Proofpoint offers a free alternative for the well known
:doc:`manual/etpro_telemetry` ruleset.
...................................
Abuse.ch
...................................
Abuse.ch offer several blacklist for protecting against fraudulent networks.
OPNsense has integrated support for:
........
`Abuse.ch <https://abuse.ch>`_ offers several blacklists for protecting against
fraudulent networks.
...................................
SSL Blacklist
...................................
+++++++++++++
SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide
*SSL Blacklist* (SSLBL) is a project maintained by abuse.ch. The goal is to provide
a list of "bad" SSL certificates identified by abuse.ch to be associated with
malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL
certificates and offers various blacklists.
See for details: https://sslbl.abuse.ch/
...................................
Feodo Tracker
...................................
+++++++++++++
Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:
Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud
and steal sensitive information from the victim's computer, such as credit card
details or credentials. At the moment, Feodo Tracker is tracking four versions
of Feodo, and they are labeled by Feodo Tracker as version A, version B,
version C and version D:
* **Version A**
*Hosted on compromised webservers running an nginx proxy on port 8080 TCP
forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually
directly hits these hosts on port 8080 TCP without using a domain name.*
* **Version B**
*Hosted on servers rented and operated by cybercriminals for the exclusive
purpose of hosting a Feodo botnet controller. Usually taking advantage of a
domain name within ccTLD .ru. Botnet traffic usually hits these domain names
using port 80 TCP.*
* **Version C**
*Successor of Feodo, completely different code. Hosted on the same botnet
infrastructure as Version A (compromised webservers, nginx on port 8080 TCP
or port 7779 TCP, no domain names) but using a different URL structure.
This Version is also known as Geodo and Emotet.*
* **Version D**
*Successor of Cridex. This version is also known as Dridex*
See for details: https://feodotracker.abuse.ch/
...................................
URLHaus List
...................................
With OPNsense version 18.1.7 we inroduced the URLHaus List from abuse.ch which collects
++++++++++++
OPNsense version 18.1.7 introduced the URLHaus List from abuse.ch which collects
compromised sites distributing malware.
See for details: https://urlhaus.abuse.ch/
...................................
App detection rules
...................................
With OPNsense version 18.1.11 we introduced the app detection ruleset.
Since about 80 percent of traffic are web applications these rules are focused on
blocking web services and the URLs behind them.
+++++++++++++++++++
OPNsense 18.1.11 introduced the app detection ruleset. Since about 80
percent of traffic are web applications these rules are focused on blocking web
services and the URLs behind them.
If you want to contribute to the ruleset see: https://github.com/opnsense/rules