OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: ruggerio on November 09, 2018, 03:41:41 pm
-
Hi,
Since i updated to the beta, i do not see any entry in the alert-tab of suricata. Is it just logging drops/alerts there? before, everything has been logging (allowed)
-
OK, i switched back to 18.7.7, downloaded the rules and alerts came back. Switched again to Beta, downloaded the rules and no further alerts were seen in the log.
-
Hi,
18.7.7-devel is using Suricata 4.1.0, not 4.0.6 -- we'll look into it before moving to 4.1 for the release.
Cheers,
Franco
-
ok - what i can say so far is, that since changing to 19.1 beta, eve.json and rules.json aren't filled anymore. The last entry is from my 18.7.7. stable environement.
-
Geesh, I'm glad I found this.
I'm currently on
OPNsense 19.1.b_306-amd64
FreeBSD 11.2-RELEASE-p4-HBSD
OpenSSL 1.0.2q 20 Nov 2018
I thought it was just me and have been reconfiguring and playing around trying to see why I had no alerts :)
Seems I will be waiting for the next major updates.
-
i had to reset my opnsense and my backups crashed. Therefore, i had to reinstall my machine.
I updated immediately to 19.1b... and it worked! I hat logentries from suricata. It seems, that the "fresh" install solved the problem.
If the problem comes back, i'll inform.
-
As of the last update, again no more entries in the alarmlist of suricata.
-
Err, are you using /var MFS option? In that case reboot == no more logs.
Cheers,
Franco
-
Hi Franco,
Nope, system/verschiedenes/Disk für /Var is not marked
-
btw. i installed today an extension for squid, since today i get logs again (no reboot).
-
Might be, that the cron-job for reloading the rules causes the problem?
Dec 30 00:03:05 suricata[11057]: [100111] <Notice> -- rule reload complete
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016113 and 32 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2014750 and 5 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018103 and 6 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 11 other sigs
Dec 30 00:02:05 suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs
Since Dec,30, i have no more logs until today.
-
Maybe it's just log rotation?
# ls -lah /var/log/suricata/
"Save logs" is set to 4 by default. But maybe it only ever reads the first in the GUI so when rotation kicks in the eve.json is cleared?
Cheers,
Franco
-
strangerwise, the logs rotate in 7-days-intervals. But according to the size of the latests files, eve.json gets cleared.