Print Page - Warning on Intrusion Detection logs

Title: Warning on Intrusion Detection logs
Post by: myksto on June 06, 2022, 12:03:30 PM

Hi.
I noticed several warnings on Intrusion Detection logs after update to version 22.1.8_1.
Warnings are like these (some examples):

[ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default.
[ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default.
[ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default.
[...]

I know those are "just" warnings but do I have to worry about?

Thanks a lot,
Michele

Title: Re: Warning on Intrusion Detection logs
Post by: axsdenied on June 07, 2022, 11:15:48 PM

Looks like it's just enabling protocols to monitor for which is not a bad thing unless you explicitly don't want those protocols looked at.

Title: Re: Warning on Intrusion Detection logs
Post by: myksto on June 08, 2022, 03:13:03 PM

Quote from: axsdenied on June 07, 2022, 11:15:48 PM
Looks like it's just enabling protocols to monitor for which is not a bad thing unless you explicitly don't want those protocols looked at.

It may be just like that but log messages are indentified as "ERROR".
I'd like to know why these errors come up and how to remove them.

Cheers.

Title: Re: Warning on Intrusion Detection logs
Post by: defaultuserfoo on June 08, 2022, 04:19:46 PM

The error messages seem to say that there are errors because stuff isn't enabled. You could delete these messages from the log file.

Or maybe enable stuff ... :)

Title: Re: Warning on Intrusion Detection logs
Post by: myksto on June 08, 2022, 04:45:14 PM

Quote from: defaultuserfoo on June 08, 2022, 04:19:46 PM
The error messages seem to say that there are errors because stuff isn't enabled. You could delete these messages from the log file.

I really can't find a way to "delete" those messages, at least via GUI. Anyway my usual goal is to find the reason why I have certain error logs first and then, eventually, find a way to delete them.

Quote
Or maybe enable stuff ... :)

Ok, I could do that: would you be so kind to indicate me how to?

Thanks.

Title: Re: Warning on Intrusion Detection logs
Post by: JohnDoe17 on June 13, 2022, 04:42:20 PM

I'm wondering if anything more came from this? I'm seeing the same errors in my Suricata logs.

Title: Re: Warning on Intrusion Detection logs
Post by: superflip on September 16, 2022, 11:47:54 AM

I've same issue and wondering, if you already fixed the issue? - I guess this couldn't be fixed via gui.
really strange is, that in suricata.yaml.sample there is a statement: "HTTP2 support is currently experimental and disabled by default."
And I'm not sure if can can change settings in yaml files without being overwritten by opnsense.

Title: Re: Warning on Intrusion Detection logs
Post by: dcol on September 16, 2022, 07:52:24 PM

This issue has been around for a while. You can temp fix it by going to
/usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml
and adding these protocols to app-layer section then reboot, but it just reverts back after an update.

My personal opinion is those protocols are just not ready yet. You can ignore the error.

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: myksto on June 06, 2022, 12:03:30 PM