OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Georg on July 05, 2021, 08:51:28 pm

Title: Suricata - only latest alerts are shown
Post by: Georg on July 05, 2021, 08:51:28 pm

Hello everyone, I need your help, maybe some of you know a solution. Thank you in advance.

# STORY
Ive running Suricata for 2 years now. 2 days ago I had to reload some rules because I had some rules only on "alert" and not on "drop". And some of them I were not able to switch from alert to drop.

# WHAT I DID
Disabled Intrusion detection.
Restart.
Disabled all Sources in 'Download'.
Uninstalled 'os-intrusion-detection-content-et-open 1.0.1'.
Restart.
Installed 'os-intrusion-detection-content-et-open 1.0.1'.
Enabled all Sources in 'Download' and waited.
Enabled all rules which are not on drop by default via 'imported legacy import filter'.

--> Yes, Intrusion Detection is working, Ive tested it. But...

# PROBLEM NOW
I get some alerts on 'Alerts' tab, but only 7 of them. I cant switch to page 2, because then "No results found!". I cant search either, nor increase the number of shown alerts, nor refresh. The log time shows only the time, when the last alert was found.
This is pretty problematic, because then I cant find rules, which may blocked legit traffic. I added a screenshot.

# SYSTEM
OPNsense 21.1.7_1

# PLUGINS
os-etpro-telemetry 1.4_2
os-intrusion-detection-content-et-open 1.0.1

# BACKEND LOG
--> nothing really useful
2021-07-05T20:42:25   configd.py[68884]   [916c3623-265e-40cd-aed6-2eb1c0cc4c87] Show log   
2021-07-05T20:42:24   configd.py[68884]   [7f849c6c-f86d-4171-bc2e-8630f72c35f0] Show log   
2021-07-05T20:42:22   configd.py[68884]   [d928641c-d3c9-48a5-abe4-055de86a1d84] Show log   
2021-07-05T20:42:11   configd.py[68884]   [fdaa5973-60df-46cf-8fec-b49f4f8e7c5e] get suricata daemon status   
2021-07-05T20:42:11   configd.py[68884]   [50eeac4f-2a04-48bf-b674-fd4c32bacd37] request suricata rule metadata   
2021-07-05T20:42:11   configd.py[68884]   [8ce79beb-1882-4c41-bf18-9bca9e60c698] Show log


Any ideas why the alert log is missing or only showing the first page and forgetting all other alerts? Did I missed something?  :o

Title: Re: Suricata - only latest alerts are shown
Post by: franco on July 06, 2021, 07:29:56 am

See https://github.com/opnsense/core/commit/85dd2fcaa5f

Fix via:

# opnsense-patch 85dd2fcaa5f

(Will be fixed in 21.1.8 tomorrow.)


Cheers,
Franco

Title: Re: Suricata - only latest alerts are shown
Post by: Georg on July 06, 2021, 10:08:07 am

Thats good news, I was afraid that I shot my config, puh.
Next time I will check GitHub first, thanks : )