OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: dave on April 02, 2020, 08:44:32 am

Title: Maltrail doesn't log unless monitor interface set to nothing
Post by: dave on April 02, 2020, 08:44:32 am

Think I may have found a bug in Maltrail.

Logging works fine so long as Monitor Interface is set to Nothing Selected.

Since I've got nothing listening on the WAN I specified internal interfaces only and everything stopped working.

If i manually specify all interfaces logging stops working; if I uncheck everything, Maltrail starts working again.

Two of my interfaces are vlans though, so would that mess things up?  Should I just be selecting the parent interface for inspection?

Title: Re: Maltrail doesn't log unless monitor interface set to nothing
Post by: mimugmail on April 02, 2020, 09:44:12 am

You can try this, yes. Never tested with vlans

Title: Re: Maltrail doesn't log unless monitor interface set to nothing
Post by: dave on April 02, 2020, 10:47:35 pm

Looks like something's not working as it should.

Torrents generate reports, so I've been using Ubuntu to test.

Judging from CPU and memory usage (which goes through the roof with heuristics enabled), Maltrail is monitoring regardless of its config.

With Maltrail disabled I manually selected all int’s (physical and logical), started the service, and logs were generated.

I switched to physical int’s only and restarted the service, and continued to see new reports.

Then switched to internal physical int’s, restarted the service, but still saw WAN reports unrelated to torrents.

Finally switched to internal physical and logical int’s, rebooted, and now I’m only seeing reports related to internal interfaces.

Hope that made some kind of sense.

Title: Re: Maltrail doesn't log unless monitor interface set to nothing
Post by: matoma on May 11, 2020, 08:30:24 am

I tried as #1 said but it wasn't good either.