OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: ex2k3 on December 31, 2018, 01:48:02 pm
-
hi
i`m running the latest stable version, everything is fine but suricata seems not to work.
i tried some of the abuse.ch rules, urlhaus for example, rules are downloaded, activated and set to block but i can access the any site form the list.
same goes for geoip countryblock, i see a lot of russian ip`s on the firewall, so i set up a rule to block russia, but nothing happens. No alerts from suricata but block actions on the firewall.
hardware is a Little supermicro with Intel Atom and Intel nics, 8gb ram, 120gb ssd.
i went trough the forum already for performance tuning and a suricata guide, no success.
all services are running fine and im a bit cluesless.
edit: static ipv4 on wan and lan, bridged cablemodem.
thats how the alerts look:
2018-12-31T13:53:55.370905+0100
allowed
WAN
2.22.152.33
443
x.x.x.x
60301
SURICATA STREAM excessive retransmissions
2018-12-31T13:51:48.254029+0100
allowed
WAN
x.x.x.x
61759
2.20.248.154
443
SURICATA STREAM excessive retransmissions
2018-12-31T12:08:27.682942+0100
allowed
WAN
23.0.174.128
443
x.x.x.x
27980
SURICATA STREAM excessive retransmissions
2018-12-31T11:57:22.226768+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
15499
SURICATA STREAM excessive retransmissions
2018-12-31T11:44:54.118050+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
2291
SURICATA STREAM excessive retransmissions
thanks for any help
-
Hi,
did you disable HArdware Offloading?
amichel
-
Hi
yes, i did.
i`m still trying to get this to work, but even after upgrading last week ist not working.
-
I have the same issue.
-
suricata: [100128] <Notice> -- Stats for 'ale0+': pkts: 53817, drop: 0 (0.00%), invalid chksum: 0
Thats normal? it says that for all interfaces. igb0 1 2 etc...
-
same here:
Jan 19 10:22:47 suricata: [100163] <Notice> -- all 9 packet processing threads, 4 management threads initialized, engine started.
Jan 19 10:22:47 suricata: [100163] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Jan 19 10:22:46 suricata: [100345] <Notice> -- This is Suricata version 4.1.2 RELEASE
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1+': pkts: 1923, drop: 0 (0.00%), invalid chksum: 0
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1': pkts: 3955, drop: 0 (0.00%), invalid chksum: 0
-
I Have ips and ids active with social media filter, but on any client pc i can connect to facebook, then i think its active but not working, why?
-
I Have ips and ids active with social media filter, but on any client pc i can connect to facebook, then i think its active but not working, why?
exactly the same here, no alert, no block action (if set to drop).
-
same here:
Jan 19 10:22:47 suricata: [100163] <Notice> -- all 9 packet processing threads, 4 management threads initialized, engine started.
Jan 19 10:22:47 suricata: [100163] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Jan 19 10:22:46 suricata: [100345] <Notice> -- This is Suricata version 4.1.2 RELEASE
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1+': pkts: 1923, drop: 0 (0.00%), invalid chksum: 0
Jan 19 10:22:46 suricata: [100163] <Notice> -- Stats for 'igb1': pkts: 3955, drop: 0 (0.00%), invalid chksum: 0
Well the "ERRCODE: SC_ERR_NO_RULES_LOADED(43)" message says a lot.
Did you guys first enabled the ET rules that you want, apply, download new rules (you will see a date behind the ruleset that you've enabled) and then set every ruleset to to action drop (use the edit pencil behind every rule) and then click apply again?
Use Hyperscan for Intel nic's and enable IPS when you want to block.
Enable promiscious if you have VLAN interfaces and don't add VLAN interfaces to the interface list.
I would also add your LAN interface and not the WAN interface (default) if you want to block hosts on the abuse.ch ruleset.
Otherwise show with a printscreen your general and ruleset which are enabled so we can see your settings.
-
the "ERRCODE: SC_ERR_NO_RULES_LOADED(43)" only appears after upgrading to the latest version, before that i saw notifications.
i tried to load different rules, abuse.ch, changed from alert to block, used other rules, test rules, test viruses, nothing.
before i post i did a lot of search in the forums and im not new to this topic, sysadmin since over 20 years now.
im glad for any hint here, next thing im gonna try is waiting for the next version and try a fresh install.
(everything else works fine, i have vpn‘s running as client, dhcp, nat, you name it.)
only this is giving me hard times, comming from sophos and switching many sites...
-
suricata: [100128] <Notice> -- Stats for 'ale0+': pkts: 53817, drop: 0 (0.00%), invalid chksum: 0
Me only appear that, this what is?
-
the "ERRCODE: SC_ERR_NO_RULES_LOADED(43)" only appears after upgrading to the latest version, before that i saw notifications.
i tried to load different rules, abuse.ch, changed from alert to block, used other rules, test rules, test viruses, nothing.
before i post i did a lot of search in the forums and im not new to this topic, sysadmin since over 20 years now.
im glad for any hint here, next thing im gonna try is waiting for the next version and try a fresh install.
(everything else works fine, i have vpn‘s running as client, dhcp, nat, you name it.)
only this is giving me hard times, comming from sophos and switching many sites...
Since you're an admin for over 20 years: did you enable the SSH shell and checked the files yourself and see what went wrong via the GUI?
I do agree that there are some bugs (hey its a RC still not stable) after the upgrade for Suricata (there are some other topics about that), but I would check the files themselves on the system and see why your rules that are indeed enabled in the gui are not enabled on the system.
Perhaps post some screenshots that might help us?
-
i was talking abou the lastest stable version, not the rc :)
i will investigate this further as soon i find some time, and sure i can post some screenshots.
checked the processes via ssh ofc, but not the files since i dont know how they have to look.
-
Those messages here:
suricata: [100163] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
i got rid of them, downloading ALL the rules, except the Opnsense ones. So, there must be some kind of dependency between the rules, which aren't solved?
Roger
-
In my case I have this error
suricata: [100325] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
I only have activated abuse.ch rules but the results its the same if I actvate all rules.