On 2020-11-20 17:15, Erik Lauritsen wrote: > Is it recommended to run some kind of intrusion detection on an > OpenBSD router/firewall? > > I suspect that any kind of system like Snort or Suricata will give a > lot of false positives?
MY philosophy is it is much easier to keep 'em out than to find 'em once they are in. And the odds of an intruder popping you firewall's security is relatively low. Be far more suspect of things BEHIND your firewall. So...my answer to your question is, "no, I wouldn't recommend any kind of add-on intrusion detection to an OpenBSD Firewall". The simpler your firewall, the better. The only package I put on my firewalls is rsync for backup purposes. Application server? Now that's another story, perhaps. One thing I have been doing for a while is rsync --link-dest backups of systems, both in-house and at various workplaces. FANTASTIC tool, giving incredibly "useful" backups, with relatively low impact and resource requirements. My I use a -v on rsync to get verbose backups, and log it to a file. Just recently, I realized these logs are basically a "changed file" report, which is a starting point for a file alteration reporting tool. Combine that with a carefully crafted "ignore" file (you can do that with a grep -vf ignorefile logfile), and you have an interesting file monitoring system. The painful part with any such system is crafting the list of what to ignore vs. what to panic over. Everyone wants to tick the checkbox that says "We have an intrusion detection system", and everyone wants one of two results: "No problem" and "intruder detected". So far, I don't think any tool does that. An IDS without careful human monitoring is just for show (and it's a potential security risk of its own), and more likely to be the cause of a problem than a solution. Careful monitoring takes time and resources. One nifty thing I have found in "rolling my own" is that I found a lot of little oddities, no security problems, but things that needed fixing. I'd call that a win. Nick.
