Configure intrusion detection in OPNsense article

[JiveTalking]

Hello,  First of all great article!

So I followed your steps - and so far so good, however I was very uncertain about the section for setting up Policy's.

So I nervously set my 1 policy to cover the Abuse.ch's I had selected, with no filters, because they are over my head.  Maybe an article part 2 for digging deeper into this stuff would be so helpful.

My 2nd policy I set for all the Emerging Threats (ET), with no filters for the same reason.

And my 3rd policy I set for the last group of my rules, same as the others.

I really hate guessing, it makes me very nervous - I have three policies, but I don't know why, or if they are any good, or where to go from here....

I know this is all very subjective for each persons Internet use, but are there any articles which give more guidance on polices you'd recommend, and some use examples.  I'd imagine there are many threats out there that the majority of people would want to guard against, so something that shoots down the middle as far as policy specifics?

I do a lot of email, ftp, browser searches and logins, some web email, banking, shopping and VOIP - no social media, no IoT If this helps.

Thanks for the enlightenment,

[Home Network Guy]

Yes, this is a subjective topic. However, what I have done to keep things simple is just select the rulesets that I wish to use and put them all in one policy. Since I am just setting all the rules which are enabled to "block", I do not really see a need to group them in separate policies since I don't make use of a lot of the filters. If I had more time, I could start to filter on the rules I'm most interested in using within each ruleset using the filters in the policy, but it's easier to just blanket it all in one policy for a home network. It doesn't seem to impact my network performance (especially since I'm just using it on the WAN, and I have less than 1 Gbit downstream). In the past before the policies were a feature, I manually searched for hardware/software products I didn't have on my network and disabled those rules to minimize the amount of rules that are active for performance, but I haven't noticed any issues just leaving them all enabled for the rulesets I have selected. I don't have every ruleset selected but I have a lot of them selected. I don't run it on extremely fast hardware, but it works very well especially considering I'm also running Sensei on my LAN interfaces.

If guessing makes you nervous, you could just try it out and then disable it if it is causing issues. In my experience, you may encounter more issues running it on the LAN rather than the WAN because it could end up blocking services you are trying to use (which isn't malware). You also have to make sure you turn on Promiscuous Mode and only select the physical LAN interface(s) if you plan to use it on the LAN because you will end up blocking access to all of your VLANs. That is the biggest issue you have to worry about (as far as I know). I've seen intrusion detection described as a "not fire and forget" solution because it requires monitoring and tweaking in order for it to be of the most benefit. I don't monitor mine as well as I should. Since I also have Sensei running, I have other protections in place (along with firewall rules, etc).

[JiveTalking]

I see, lots for me to think about.

So I went looking and you are right - I did have it set for my interfaces/LAN and not WAN, so I changed it   Do you have an article where you give steps for setting up Sensei?  I remember reading about your logic on this extra layer, but I didn't know how to do what you were speaking of.

Then I saw in Services: Intrusion Detection: Administration Rules where one was repeatedly showing an Alert, but I remember setting all my rule's Policies to Alert/Drop and just Drop when only one choice was given.  I see where I can click to edit this "alert" and change it to Drop in the Rules tab, but I thought Policies were more of a covers it all better place to make these settings.... So now I'm confused again (1) how come I'm getting alerts and not drops? And how come my policy isn't dropping when a rule is triggered?  And from where do I fix this just lost in OPNs again - I think I'll write a country music song about the woes of OPNsense.

In Policy I found a new-to-me Tab - Rule Adjustments - on that tab I see two SID rule adjustments, both showing Alert and only the top one enabled.
So I changed that enabled one to Drop.  My fingers are crossed!

[JiveTalking]

I've attached a pic of what I'm seeing... that I don't understand 

[Home Network Guy]

It's ok if you want intrusion detection on the LAN instead of the WAN but you have to make sure you don't select the VLANs instead of the physical LAN interface(s) since it will mess up your VLANs. But if you want to put it on the WAN and use Sensei on the LAN, that will work too. I like the graphs and charts and other information that Sensei provides. It does things that intrusion detection doesn't do, but I think they can complement each other. I don't have a guide on how to set up Sensei since the documentation on Sensei's website is pretty straightforward but I did do a comparison between the home and free versions.

That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.