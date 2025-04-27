The internet is a scary place, and since building my own OPNsense router where I can see all of the traffic in and out, I've never been more convinced of that. I had already set up OPNsense with the goal of configuring Intrusion Detection Systems and Intrusion Prevention Systems (IDS and IPS, respectively). I moved as quickly as I could to deploy them when I saw the constant traffic that was scanning my network, looking for open services. I've since set up a honeypot to capture some data, but that's a story for another day.

When it comes to configuring those systems, there are a few options, both free and paid, worth looking at. We'll be talking about CrowdSec, Suricata, and ZenArmor, with the latter being a paid service. You can get by with just CrowdSec and Suricata, though it's worth knowing that Suricata won't work on your WAN if you're using PPPoE. That's the situation I find myself in, so I'm personally using CrowdSec and ZenArmor. I also set up a firewall rule to block IP addresses listed in the FireHOL IP list, though this is fairly rudimentary.

What's the difference between Intrusion Detection and Intrusion Prevention?

There's an important difference between the two

Both of these systems are quite similar in how they operate, particularly on a surface level. They both monitor your network, they both can alert you when something is awry, and in most cases, they'll both learn to spot emerging threats and changes in communication on your network. An Intrusion Detection System is essentially a very smart observer. It sniffs every packet, checks it against a signature or behavioral rule, and, if something looks shady, alerts you to its existence. Typically, you’ll get log entries (and a push notification if you've configured it) whenever your firewall spots a problem, but the packet will usually still go through unless you step in and block it manually.

An Intrusion Prevention System does everything an IDS does, plus an extra step: it blocks, drops, or shuns the offending traffic in real time. ZenArmor in "protect" mode or Suricata with IPS enabled both fall into this category, but the downside is that traffic that looks suspicious can be blocked. While ZenArmor hasn't blocked any friendly traffic just yet, I have seen it block some traffic and flag others that I knew were safe as being potentially unsafe. For example, when playing Counter-Strike on FaceIt, I saw it flag an API server from the anti-cheat as being potentially unsafe. Thankfully it didn't block the connection, as otherwise it would have likely disconnected me from the server as a result.

When configuring IPS, especially, you'll want to make sure that legitimate traffic isn't being outright blocked. Start small and scale up, rather than enabling everything at once. It's not difficult to reverse, but it could be annoying if you don't realize it until it happens.

Setting up ZenArmor

There are a lot of options

ZenArmor has a fairly simple setup: install the plugin from the OPNsense plugin manager, and you'll end up with a new ZenArmor tab on the left-hand side. You can configure all of your settings there, including blocked content, your database of devices, and more. I am also using an external Elastic database to capture my data, with a retention of seven days. This prevents it from using too much RAM on my server, and means that I can do some advanced data processing if I wish, too.

There isn't really a whole lot more to think about once it's installed. You'll need to go to Policies to set what you do and don't want to block. Here's what I'm currently blocking:

Malware/Virus

Phishing

Spam sites

Potentially dangerous

Recent malware/phishing/virus outbreaks

Botnet C&C

Botnet DGA domains

Spyware and adware

Keyloggers and monitoring

I don't have any special exemptions issued, and I've opted to allow the others, as policies such as "parked domains" could disable access to domains that I actually want to look at. I've already seen this occurring in my live sessions view with legitimate websites, so I know that blocking them would create false positives. You can also create a whitelist of URLs if you find that legitimate sites are being blocked, which I have seen happen occasionally, too.