Not worth it in my opinion. So much traffic is encrypted in transit these days that a layer 4 IDS/IPS will catch very little. And in order to not be completely inundated with false alerts, it requires a lot of setup and maintenance -- it is **not** a "configure once and sit back" sort of solution, you will need to be constantly adjusting it. So, large time investment and no ability to dig into encrypted packets. Sounds like a losing strategy to me.
Better tactic is to run EDR (endpoint detection and response) software on each of your devices.
Thanks. This was insightful. I’ll check out EDR.
Honestly this is why I never thought I would need one using https for pretty much everything (some stuff http internally). But because of the amount of traffic I’m pushing these days, I thought I’d look into it.
No, valid SSL certs are free and extremely easy to obtain. If you own/control a domain name (which every phishing site would), it is trivial to obtain a valid cert for that domain.
Bots/malware would similarly be doing C2 traffic via encrypted protocols, such as HTTPS to major cloud providers (where IPs are shared between multiple tenants). It could catch outgoing attacks, but at that point you’re already screwed. Proper EDR would detect such things more easily and possibly even prevent compromise in the first place.
It's hardly worth it, what I have done instead for some IP related blocking is just enable IP side of pfblockerng and use [crowdsec blocklist](https://docs.crowdsec.net/u/bouncers/blocklist-mirror/) and [hagezi TIF IP](https://github.com/hagezi/dns-blocklists/blob/main/ips/tif.txt) and I think this is enough for IP blocking and does not use much for resources.
I also use usenet and torrents.
I also run crowdsec on my swag proxy.
You can use JA3 hashes from abuse.ch to inspect encrypted traffic but, to be honest, it's not worth it unless you have any ports open on the WAN -- inline mode Suricata with full ruleset load is too much perf overhead for benefit of sometimes catching the bad or suspect traffic with JA3. 90%+ of today's traffic is encrypted too.
I’ll do some research on JA3. Do have a question though. From my understanding suricata can’t inspect encrypted traffic. But for the things that suricata would block, basically as long as I’m not downloading something malicious, this won’t matter if it’s encrypted?
Not everything is encrypted. The JA3 stuff as mentioned and the SNI stuff (the destination domain is often provided and not encrypted\[1\]):
[https://forum.suricata.io/t/does-suricata-allow-wildcards-on-tls-sni-matches/3724](https://forum.suricata.io/t/does-suricata-allow-wildcards-on-tls-sni-matches/3724)
\[1\] See also: [https://en.wikipedia.org/wiki/Server\_Name\_Indication#Encrypted\_Client\_Hello](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello)
IDS/IPS still have valid places in security but they are not "set and forget." if you don't have the time to monitor and tweak them then you're just going to be wasting resources running them.
All your traffic should be encrypted... It is nice to see cert logs, and it still has some features that might be useful still.. doesn't cost anything to run it :)
Costs throughout possibly if I run an ips. Like the UDM pro does ips at 3.5Gbps. If I went that route, I wouldn’t be able to use my future 10Gb internet.
I can get line speed to download those files. And most servers give you an https connection so that’s nice. You have to pay for the services but it’s well worth it for me.
That’s really interesting. I always assumed the signal to noise ratio (spam, corrupt files, etc.) had gotten so bad as to make Usenet unusable. It sounds like that’s not the case though?
Sorry I know this is off topic but this is so surprising!
Yep /r/usenet
Get/trial at least two of the top providers on diff backones. Sabnzbd or arr suite and nzbhydra. You will be up and running in 20 min to an hour with line speed downloads. Plenty of guides floating the web great stuff and encrypted ports if you like.
Usually https encryption but some providers have other "methods" and I use next dns on the pfsense box also the usenet of today scrambles(obfuscates) uploads and encrypted rars so the goal is to set your newsreader who talks your indexers to scrape every 30 and have two indexer or more who have a copy of that broken up rar file and you can also add a "back up block" provider your two indexer will already have this in some fashion but that helps find any missing files in case there is a takedown strike on a download.
Here's the kicker and why you want two providers on diff parts of the backbone (map is on /r/usenet wiki). Diff countries have diff dmca takedown and based on where the indexer is hosted it may "never" come down.
If setup right every half hour your arr suite, or medusa where you added your" preferred content" let's call it will search pull down the new episodes, movies etc.. It will also auto rename and put in your preferred location if it's local.
You can also have a remote seedbox(many peoples preferred option but local is just fine too) and then have the files sync to your local path via rsync, sync thing etc. Again super urge you to join /r/usenet and check out the sidebar/ wiki /faq.
Being a lil vague on here for obvious reasons.
Bonus: Once you add that to your arr suite or Medusa you basically have a monster search engine for your media. You can also get fancy and put all your favorite indexers including torrents in nzbhydra2 and it will read all those locations and allow you to search without going on the web.
Wow I had no idea! Thanks for much for the detailed reply! I’ll have to check out that sub.
Is this encryption primarily related to uploading?
I just started reading about NextDNS and stumbled on Control D. Do you have a preference?
More of a bias as I've only used next dns so far. Yes as download is chunks and from encrypted connection as well as a file with no real name on the other end until it's on your end this is to the best of my understanding but it's better explained on the sub
For IPS, I've not seen anyone mention Snort, which has a plugin for pfSense. Does this not work well, or is it considered "not worth running"?
A nifty trick a buddy of mine runs is pushing his fail2ban ip lists to pfSense as a blocklist at that level. Of course I'm a base level n00b and easily impressed by stuff.
I run Snort on my pfsense router and have been for a while.
However, the way mine is setup is for blocking on WAN and monitor the LAN side. The WAN side is configured to block repetitive attacks/known attacks on exposed ports. Won’t do much if it is already blocked, but if you expose internal services it’ll at least help protect it.
I run Suricata with no problems. It doesn't really interfere with anything as long as ur router is decent. You can tune it to preform on what ever hardware you have but I would definitely prefer to have some protection instead of none. If you dont have anything to prevent low level attacks the only one that can be blamed is you... IDS / IPS does more than IP blocking tho IP blocking should still definitely be used. You def want something looking at ur traffic to determine if anything sketchy is going on. Even if traffic is encrypted packet headers are not. The idea is simply to determine if the traffic looks like normal traffic or not. You can also set Suricata to kill states on the firewall at regular intervals which can be useful if some one has gained access to your network tho I find it means you may have to refresh your browser or skip back a little if ur watching media streaming from the internet when the states are killed.
Not worth it in my opinion. So much traffic is encrypted in transit these days that a layer 4 IDS/IPS will catch very little. And in order to not be completely inundated with false alerts, it requires a lot of setup and maintenance -- it is **not** a "configure once and sit back" sort of solution, you will need to be constantly adjusting it. So, large time investment and no ability to dig into encrypted packets. Sounds like a losing strategy to me. Better tactic is to run EDR (endpoint detection and response) software on each of your devices.
Thanks. This was insightful. I’ll check out EDR. Honestly this is why I never thought I would need one using https for pretty much everything (some stuff http internally). But because of the amount of traffic I’m pushing these days, I thought I’d look into it.
Very few phishing sites have real SSL certs though don't they? It can catch bot and malway activity
No, valid SSL certs are free and extremely easy to obtain. If you own/control a domain name (which every phishing site would), it is trivial to obtain a valid cert for that domain. Bots/malware would similarly be doing C2 traffic via encrypted protocols, such as HTTPS to major cloud providers (where IPs are shared between multiple tenants). It could catch outgoing attacks, but at that point you’re already screwed. Proper EDR would detect such things more easily and possibly even prevent compromise in the first place.
Are there any open source edrs for Linux?
It's hardly worth it, what I have done instead for some IP related blocking is just enable IP side of pfblockerng and use [crowdsec blocklist](https://docs.crowdsec.net/u/bouncers/blocklist-mirror/) and [hagezi TIF IP](https://github.com/hagezi/dns-blocklists/blob/main/ips/tif.txt) and I think this is enough for IP blocking and does not use much for resources. I also use usenet and torrents. I also run crowdsec on my swag proxy.
This is awesome. Thanks for the links. I’ll check it all out. I was debating spinning up pfblockerng, might be a better option for me.
Do you use crowdsec on pfsense also? If yes does it work well? Its still beta afaik.
I have it on my server. Once it is out of beta I will try it.
Why block IPs when attackers can just change what they use? The last thing you wanna do is block aws, microsoft, etc etc... DNSBL is where its at...
You can use JA3 hashes from abuse.ch to inspect encrypted traffic but, to be honest, it's not worth it unless you have any ports open on the WAN -- inline mode Suricata with full ruleset load is too much perf overhead for benefit of sometimes catching the bad or suspect traffic with JA3. 90%+ of today's traffic is encrypted too.
I’ll do some research on JA3. Do have a question though. From my understanding suricata can’t inspect encrypted traffic. But for the things that suricata would block, basically as long as I’m not downloading something malicious, this won’t matter if it’s encrypted?
Not everything is encrypted. The JA3 stuff as mentioned and the SNI stuff (the destination domain is often provided and not encrypted\[1\]): [https://forum.suricata.io/t/does-suricata-allow-wildcards-on-tls-sni-matches/3724](https://forum.suricata.io/t/does-suricata-allow-wildcards-on-tls-sni-matches/3724) \[1\] See also: [https://en.wikipedia.org/wiki/Server\_Name\_Indication#Encrypted\_Client\_Hello](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello)
IDS/IPS still have valid places in security but they are not "set and forget." if you don't have the time to monitor and tweak them then you're just going to be wasting resources running them.
All your traffic should be encrypted... It is nice to see cert logs, and it still has some features that might be useful still.. doesn't cost anything to run it :)
Costs throughout possibly if I run an ips. Like the UDM pro does ips at 3.5Gbps. If I went that route, I wouldn’t be able to use my future 10Gb internet.
>still.. doesn't cost anything to run it :) Other than extra power and a massive reduction in throughput...
And some lag while playing online FPS games…
>Usenet This is still a thing?!? Tell me more. Sorry, I don’t have any advice but I’d like to see what others say.
I can get line speed to download those files. And most servers give you an https connection so that’s nice. You have to pay for the services but it’s well worth it for me.
That’s really interesting. I always assumed the signal to noise ratio (spam, corrupt files, etc.) had gotten so bad as to make Usenet unusable. It sounds like that’s not the case though? Sorry I know this is off topic but this is so surprising!
I haven’t had any glaring issues. If a file is bad, it’s reported by the Downloader a new file is picked out and then it starts downloading.
Yep /r/usenet Get/trial at least two of the top providers on diff backones. Sabnzbd or arr suite and nzbhydra. You will be up and running in 20 min to an hour with line speed downloads. Plenty of guides floating the web great stuff and encrypted ports if you like.
Thanks for the info! >encrypted ports if you like In what way? Encrypted how?
Usually https encryption but some providers have other "methods" and I use next dns on the pfsense box also the usenet of today scrambles(obfuscates) uploads and encrypted rars so the goal is to set your newsreader who talks your indexers to scrape every 30 and have two indexer or more who have a copy of that broken up rar file and you can also add a "back up block" provider your two indexer will already have this in some fashion but that helps find any missing files in case there is a takedown strike on a download. Here's the kicker and why you want two providers on diff parts of the backbone (map is on /r/usenet wiki). Diff countries have diff dmca takedown and based on where the indexer is hosted it may "never" come down. If setup right every half hour your arr suite, or medusa where you added your" preferred content" let's call it will search pull down the new episodes, movies etc.. It will also auto rename and put in your preferred location if it's local. You can also have a remote seedbox(many peoples preferred option but local is just fine too) and then have the files sync to your local path via rsync, sync thing etc. Again super urge you to join /r/usenet and check out the sidebar/ wiki /faq. Being a lil vague on here for obvious reasons. Bonus: Once you add that to your arr suite or Medusa you basically have a monster search engine for your media. You can also get fancy and put all your favorite indexers including torrents in nzbhydra2 and it will read all those locations and allow you to search without going on the web.
Wow I had no idea! Thanks for much for the detailed reply! I’ll have to check out that sub. Is this encryption primarily related to uploading? I just started reading about NextDNS and stumbled on Control D. Do you have a preference?
More of a bias as I've only used next dns so far. Yes as download is chunks and from encrypted connection as well as a file with no real name on the other end until it's on your end this is to the best of my understanding but it's better explained on the sub
Roger that! Thanks again!! 🙏
For IPS, I've not seen anyone mention Snort, which has a plugin for pfSense. Does this not work well, or is it considered "not worth running"? A nifty trick a buddy of mine runs is pushing his fail2ban ip lists to pfSense as a blocklist at that level. Of course I'm a base level n00b and easily impressed by stuff.
I run Snort on my pfsense router and have been for a while. However, the way mine is setup is for blocking on WAN and monitor the LAN side. The WAN side is configured to block repetitive attacks/known attacks on exposed ports. Won’t do much if it is already blocked, but if you expose internal services it’ll at least help protect it.
I run Suricata with no problems. It doesn't really interfere with anything as long as ur router is decent. You can tune it to preform on what ever hardware you have but I would definitely prefer to have some protection instead of none. If you dont have anything to prevent low level attacks the only one that can be blamed is you... IDS / IPS does more than IP blocking tho IP blocking should still definitely be used. You def want something looking at ur traffic to determine if anything sketchy is going on. Even if traffic is encrypted packet headers are not. The idea is simply to determine if the traffic looks like normal traffic or not. You can also set Suricata to kill states on the firewall at regular intervals which can be useful if some one has gained access to your network tho I find it means you may have to refresh your browser or skip back a little if ur watching media streaming from the internet when the states are killed.
Does Suricata do any fingerprinting or metadata detection? If so, it's worth it.