Topics

After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:

suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246

and following:
   suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.

Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?

btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!

Hello,

I still cannot geht IP's via DHCP on VLAN's, if IPS is enabled. Did i miss sometihing, or is for VLAN's a "special" configuration needed, which i missed?

I disabled all the things on the interface, vlan filtering is on standard. Promicuous mode is disabled.

Thx!

Since 19.7., i can no longer inspect more than one physical interface. My box has 3 active nics (wan, lan, dmz) which i'd like to inspect.

I already reset my box and restored, but i did not help. Whenever i activate IPS-Mode with wan only, it works. As soon as i also choose dmz and lan, it doesn't

I just tested with eicar. With wan only, i get the blocked message, adding dmz and lan, it just downloads *sigh*. And the logs do not tell me anything at all. Do i have the possibilty to set suricata in debug mode?

i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?

I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.

Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)

After changing the sha-256 hash to my password in maltrail, i cannot login any further as admin.

The new password is correct hashed in /usr/local/share/maltrail/maltrail.conf. But nevertheless, wrong username/password is the reply.

after installing sensei, i get a 100% load, on my apu4, which gets unresponsive.

how can i get the logs for further investigations?

Hello,

I know, i am in the wrong forum, but @opnidp no chance on answer.

I installed opnidp as separate idp from my firewall, using a TAP-device. Unfortunately, i am completely unexperienced in that matter. :(

Even if it's a tap-device, i think my networks have to be aware of this. And as it isn't an inline idp, it makes no sense, placing it as default route.

Could anybody help me with the architecture? Where does the device, which has the ips need to be connected? To the WAN-Port, in front of the firewall?

How would you do this? Thanks for any proposals or ideas. As it is still WIP for me, i appreciate any information.

Since update to OPNsense 19.7.b_104-amd64, Squid does no longer start.

Errors:
SSL certificate database /var/squid/ssl_crtd is corrupted. Please rebuild
kid1| FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Coming directly from 19.1.9.

Hi,

i have a apu2c4 (4 gb RAM) running opnsense with suricata in ips-mode. All physical interfaces are select (vlans are not selected.

While normal surfing, nothing exceptional happens on the cpu-load. But whilst e.g. updating my system or downloading a whole dvd, the load of the cpu jumps up to 100% and as a result, the rttd on the gateway goes up to 700 ms...

I've already used the whole bunch of optimizations, but i have no further idea, how to get rid of this.

If i stop suricata, no problems with load.

Hast anybody else the same effect?

Thx!

Hi,

After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.

21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)

erm...i do not user nt/lm passwords...where does this come from?

Hi,

I filter pages (example http://1000gratisproben.com) through shallalist. Using http, i get the message "access denied" within the browser. Using https, i get a certificate-error within the browser.

Squidlogs show tcp denied, in both cases. For https i get a strange string before, could be the certificate or whatever.

Why do i get a certificate error, using transaprent proxy? Using proxy direct, non-transparent gives me in both cases "access denied" in the browser.

Roger

Hi,

i try to setup wpad.dat für my proxy. unfortunately, it seems that it's just possible for mobile clients to get a wpad.dat by http, not by https.

So, one need to change the firewallgui to http *shiver* to get this working. would it be possilbe to have port 80 and 443 for the webfrontend? this makes management by https and wpad by http possible.

Roger

Hi,

Can anybody tell me, on which port SNI is called? Is it still 3128 for non-https, or is it on Port 3129 for ssl? I wanted to disable 3129, as i don't do ssl-inspection, but its needed for sni, correct?

Also, i have all NAT- and Firewallrules für transparent proxy, but i still get often drops to 127.0.0.1:3129, i have no explanation for this.

Seems there is a small bug in translation of /Proxy/Manage/PAC/Rule:

Match type "if" is translated as "Schnittstelle" which means interface. Could it be, that the meaning was "Wenn"
? As Unless is not translated, it would say, leave also if untranslated.

Roger

Hi,

I use dnsmasq as first dns, it gives me more possibilities for resolving internal dns (cnames etc.). But i do not get off that head forgery errors, which say, you should use the same proxy for squid as clients do.

so, all my clients use the ip from the firewall. In squid, i also entered the ip of the firewall (and tried localhost, and the external from my provides as also a glassbowl :) )

The messages stay, whatever i do. Has somebody got this working, without that messy errors in squid log? I use it as a transparent proxy and sni.

Thanks a lot in advance, community!

Roger

Hi,

After reading lots about SNI and setting up my transparent proxy, i expected that squid recognized a eicar ssl-virus according to sni, but it didn't.

How can i test this?

Thx!

Hi,

Since the last beta, i have a lots of error-messages about ssl record to long. Haven't had it before.

Reproducible: always

go to https://www.google.com

Search and find unless you get the message. Close the browser, get the message, do some F5, sometimes its getting back working again.

Hi,

Since the last update, Wireguard ist connecting, but no longer routing. Config hasn't been changed in between. I see also handshakes, but not traffic is going through.

Hi,

i recently installed successfully haproxy, it's working fine. i redirect webtraffic to my webhost.

Now, a problem occurs with fail2ban on this host. Each connection to the webserver is made by the internal gateway ip instead of the remote ip from the internet. With this, fail2ban will block my gateway and i am completely out. How can i forward the ip-information from the external, the calling id to my webserver?

FYI: the forward-x-header is checked.

Hi,

Which ports do i have to open on the wan-interface, when using haproxy (listening on 127.0.0.1:80 and 127.0.0.1:443) public frontend?

Do i just have to set on wan interface allow all to this firewall port 80 and 443?