OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: soleilblanc on February 20, 2019, 01:36:10 pm
-
Hello All,
Under IDS/Administration/Alerts, the logs are rotating but show empty since the upgrade to 19.1 (system was rock solid before the upgrade).
The /var/log/suricata/eve.json are empty, the stats.log accumulate the starts as normal.
So far, i've restarted the service, deactivated syslog and re-activated it.
under the IDS/Log file i see those errors
ERRCODE: SC_WARN_FLOWBIT(306)
Any help is appreciated
Jon
-
Hello,
Try to deactivate Snort VRT rules.
I was using the 29120 version, and it seems suricata does not love it.
Since giving up snort rules, no more ERRCODE: SC_WARN_FLOWBIT(306) and suricata just works well.
Bertrand
-
I have the same issue and I don't have the snort rules even installed. I'm using the ET Telemetry edition with a couple of the opnsense rules.
No error in the log for suricata either that I could see. I even tried causing some alerts by using the opnsense social media ruleset and it won't pickup anything in the log either.
-
Only using some abuse and some ET for rulesets. So no snort here either.
-
I'm surprised this thread went quiet because I'm still not seeing alerts on 19.1.2, except for "ET INFO Session Traversal Utilities for NAT (STUN Binding Request)". That's the only thing I saw all of Feb, while usually I see a lot of activity in the alerts list.
Using ET Telemetry and abuse.ch rules, tried both Aho-Corasick and Hyperscan, no difference.
Did it start working for the other people that posted here?
-
Still broken here. Since there's so few answers, i'll probably do a fresh install over a weekend and restore my backup. I suspect it may not impact everyone so likely something got weird in the upgrade process to 19.
I'll follow up my post when/if i have resolve.
Sol
-
I just noticed the same behavior, tried reinstalling but nothing changed
-
Same issue here, started also a thread https://forum.opnsense.org/index.php?topic=11901.0
br
-
Still didnt have time to get around doing an upgrade.
My setup does not use pppoe, it's plain ethernet from the modem so IPS should be working.
Sol