OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: opnrules on August 03, 2020, 09:31:53 pm
-
Two seperate issues with similar but slightly different Errors (1).
I can download the rules without a problem and have them all set to drop.
After I intstalled the non commercial rule from the plugins, Error reconfiguring IDS: Error (1) started to occure.
I've since removed that package but the issue persists whenever I download & update rules or make any other change to the settings. Since this started the Rules tab just loads but never shows any results.The IDS however seems to be running.
The other problem I have (and had before above started) is that I also get Error (1) when selecting Hyperscan instead of default.
Is there a way to purge/reset the IDS completely? Could this be related to low memory? Any ideas how to fix this?
Searches for Error (1) in this forum did not yield any results.
Thanks for any suggestions.
-
Not sure this is any help, but I run OPNsense as a VM on Proxmox.
I believe Hyperscan is for Intel Architecture CPU's so will only run successfully against those.
When I select a non Intel type CPU for my OPNsense VM via Proxmox and select Hyperscan, I will get Error (1).
-
I'm actually using Hyperscan with my AMD GX-412TC and it works, no errors so far...
-
I have the same issue. Still trying to figure out, why suricata has that much issues with rules since 20.7
-
I am running an Intel 210 and i350 NICs and am getting the error in 20.7.
-
Any update on this as I am having the same issue, and started after installing the non-commercial rules plugin.
Error reconfiguring IDS
error installing ids rules (Error (1))
-
I am running an Intel 210 and i350 NICs and am getting the error in 20.7.
These are network cards, Hyperscan is CPU related.
@opnrules
Hardware specs?
-
Same problem here with ET telemetry edition. Rule download ends in Error (1).
Suricata seems to work though, got fresh alarms today.
-
Same problem
-
same error!
-
i'll unchecked all interfaces and afterwards checked it again. Now the error is gone....
-
i tried to uncheck all interfaces and checkt again but the error still exists
-
i used "clear all" perhaps this matters???
-
No luck unchecking or using clear either, error persists.
-
ok, first i reinstalled the surricata package, but the error still exist.
then i used "clear all" and the error was gone
perhaps it was just good luck....
-
New Error Message
-
Any fixes for this error?
-
I had the same Problems to download the rules.
I disabled Suricata and then i deleted all Directories and Files under /usr/local/etc/suricata/opnsense.rules/
reload the config-page and activate ids, then download the rules and all works fine.
-
Removing os-intrusion-detection-content-pt-open-1.0 fixed it for me, I am solely using the ET Telemetry ruleset now without problems it seems.
-
To me this happend when IDS process was not running:
https://github.com/opnsense/core/issues/4346
This means that the action worked in general but after this it tries to restart the process which fails, but the reload of rules works
-
I updated to 7.3
The problem is still not corrected. There are errors when updating Suricata rules.
It there any solution?
-
configd.log please when error appears
-
So I am not sure if it is related, but I was also having problems when rules were being reloaded every night via cron. At first I thought it was the abuse.ch rulesets, so I loaded smaller groups of rulesets at a time, it would only fail on the ET rulesets. So I am not sure if this an issue on ET's end but in the meantime I've just learned to live with it. Sometimes it works some nights it doesn't.
-
Still got the same problem with the newest OPNsense version. Any update how to fix that?
-
Exactly the same error, but IDS works.
the error disappears after deletion
rm -rf / usr/local/etc/suricata/
BUT! >:(
IDS stops working immediately after enabling ClamAV + ICAP.
-
Because you have to few RAM? Clamav needs 2gb alone.
-
Because you have to few RAM? Clamav needs 2gb alone.
Yes, it’s out of memory!
I have enabled all IDS rules for the test.
Perhaps there is a recommendation for the minimum settings for the IDS rules?
-
I would never use it with less than 8
-
Issue still persists, Suricata quits periodically over night (even when there is nearly no traffic).
-
Are you on 21.7.7?
-
Yes.
-
Exactly the same error, but IDS works.
the error disappears after deletion
rm -rf / usr/local/etc/suricata/
BUT! >:(
IDS stops working immediately after enabling ClamAV + ICAP.
Where do you apply rm - is there a terminal through the webinterface where you can do this?
-
ok, first i reinstalled the surricata package, but the error still exist.
then i used "clear all" and the error was gone
perhaps it was just good luck....
i am having the same issue with one box, what do you mean with clear all?
Thank you
-
On a clean install of Opnsense 22.1 the error still appears.
-
Could it be memory related? Not enough memory on low-power boxes?
-
No, I have on my Opnsense mini-pc 8 GB of memory. Opnsense + Suricata take up 15% of memory.
-
Running 22.1 on a Protectli Mini PC. I got the error as well upon enabling IPS. Didn't get the error when running in IDS mode. Rebooting the device seems to have fixed it for me and IPS is running normally.
-
Running 22.1 on a Protectli Mini PC. I got the error as well upon enabling IPS. Didn't get the error when running in IDS mode. Rebooting the device seems to have fixed it for me and IPS is running normally.
I have the same exact setup and error.
-
Had the issue today as well after modifying policies. Added a "%" in the policy description and this broke regeneration of rules. Removing "%" fixed it.
Since sqlite is used in the backend, I assume the policy descriptions are not properly escaped and can break SQL statements if certain characters are used. It may not be the only reason for this error but it is one possible cause.