OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: Space on March 20, 2018, 11:24:41 pm
-
Hi,
once I activate the IPS button in the Intrusion Detection there is no IPv6 announced on the internal networks anymore. WAN is set to DHCPv6 and does get it's IPv6 address but the internal interfaces (LAN/OPT1) do not get any IPv6 address / prefix anymore. DHCPv6 Server does not start anymore.
I will check tomorrow if I find anything in the logs. Or is this issue already known?
Thanks and best regards,
Space
-
I see the following in IDS alerts:
Timestamp 2018-03-21T08:40:56.980402+0100
Alert SURICATA UDPv6 invalid checksum
But it's configured to alert only ... In dhcp.log I see the following:
Mar 21 08:30:50 OPNvirt dhcp6c[46361]: Sending Solicit
Mar 21 08:32:38 OPNvirt dhcp6c[46361]: Sending Solicit
Is there some rule that needs to be deactivated?
-
For testing I have disabled all Rulesets for Suricata --> still no success. But in IDS alerts I only see alerts, no drops ...
-
Hi,
can anyone give me a hint how to analyse the problem? With 17.7.x it was working fine but with 18.1.6 it still does not work. As soon as I enable IPS mode there is no IPv6 prefix configured on any of the internal interfaces. Only the WAN interface does have an IPv6 IP.
And as soon as I disable IPS the internal interfaces aquire an IPv6 IP as well.
Best regards,
Space
-
check the logs - maybe a rule blocks it (false positive?).
-
I can confirm this problem!
Did not tried to debug the problem but i´m willing to help of course.
Had this behavior also in previous OPNsense versions.
-
check the logs - maybe a rule blocks it (false positive?).
I found it ... I had to add ff02::1 to home networks in suricata settings. This is probably the case because following option was disabled for dhcpv6 client configuration:
Use IPv4 connectivity
But with 17.x it must have worked because I know that I had it running like that at some point in time ... But maybe it would make sense to add ff02::1 to home networks by default.
-
Huh, now it's gone again :( I need to double check ...
-
Ok, I need to continue research ... at first I thought it was because I added ff02::1 to home networks ... but then I noticed that the IPS button was not active ... so I activated it and again it did not work ... so I removed ff02::1 again and now it works by restarting suricata ... go figure.
I just can't find anything in the logs that gives me a direction to continue analysis. Where can I find details on console if suricata IPS drops something?
-
And after renewing the lease of the FritzBox it does not work anymore ... at all ... even with IPS off ...
EDIT: there are multiple dhcp6c running:
root@OPNvirt:~ # ps aux | grep dhcp6c
root 2294 0.0 0.1 1074180 2812 - Ss 18:04 0:00.02 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root 13561 0.0 0.1 1074180 2812 - Ss 18:10 0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root 24167 0.0 0.1 1074180 2820 - Is 18:05 0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root 72817 0.0 0.1 1074180 2816 - Is 18:11 0:00.00 /usr/local/sbin/dhcp6c -Dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
EDIT2: after a reboot it at least get's the IPv6 address again if IPS is disabled ... need to do some other work now :(
-
The multi dhcp6c should be a thing of the pasta in 18.1.7 due to Martin's work. We're almost there...
Cheers,
Franco
-
Hi Franco,
great ... if there is any patch to test, just let me know :)
In the meantime I create some debug logs (which works with 18.1 :) )
- with IPS enabled:
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: a new XID (601c8d) is generated
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: Sending Solicit
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=1, retrans=2083
Apr 10 20:20:49 OPNvirt dhcp6c[35283]: Sending Solicit
- with IPS disabled:
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: a new XID (31012e) is generated
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set client ID (len 14)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set elapsed time (len 2)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set option request (len 4)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD prefix
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: send solicit to ff02::1:2%igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: receive advertise from fe80::2656:11ff:fe6c:3174%igb1 on igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option client ID, len 14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: DUID: 00:01:00:01:22:0f:8a:61:f4:ce:46:a8:9b:f4
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option server ID, len 10
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: DUID: 00:03:00:01:24:65:11:6c:37:14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option preference, len 1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: preference: 0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option DNS, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: unknown or unexpected DHCP6 option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD, len 41
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: IA_PD: ID=0, T1=1800, T2=2880
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD prefix, len 25
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: IA_PD prefix: 2a03:f590:c803:f1f0::/60 pltime=3600 vltime=335467976956320800
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: server ID: 00:03:00:01:24:65:11:6c:37:14, pref=0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset timer for igb1 to 0.996209
So with IPS enabled the advertise is not received ... I will install Wireshark so I can trace on the Fritzbox if the advertise is sent in both cases. Is there anything else I can test?
Thanks,
Space
-
Hi Space,
If you can you could test the development version that comes with 18.1.6. I have this running in my office with DHCPv6 on WAN. dhcp6c won't get stuck, but I'm not sure if Suricata will allow the IPv6 packets to flow. If it's that then maybe Suricata is running on WAN and blocking your requests/responses prematurely?
Cheers,
Franco
-
Hi Franco,
I have upgraded to the dev version and rebooted. Directly after the reboot IPv6 was available on all interfaces (because suricata service was not yet started). As soon as suricata was running IPv6 became unavailable on the internal interfaces and only the WAN interface still has an IPv6 IP.
FYI: I have suricata enabled only on the WAN interface. Home networks are only the ones from the internal interfaces but not the network from the WAN interface. But even when I added that as home network as well it did not make any difference.
Since it did work with 17.7.x ... what was upgraded when moving to 18.1? Do we have a new suricata version?
Cheers, Space
-
The multi dhcp6c should be a thing of the pasta in 18.1.7 due to Martin's work. We're almost there...
Cheers,
Franco
Pasta?
Were you hungry when you typed the message? :P
-
check the logs - maybe a rule blocks it (false positive?).
Where can i find the correct log file ?
My Suricata Logfile is Empty
File /var/log/suricata.log yielded no results.
Can i run suricata in foreground in verbose mode ? Maybe i can collect there some helpfull in formation
-
Have a look in /var/log/suricata/
-
Nothing helpfull in here:
root@opnsense:/var/log/suricata # ls -l
total 14816
-rwx------ 1 root wheel 0 Mar 13 14:58 eve.json
-rwx------ 1 root wheel 15107202 Apr 11 10:21 stats.log
root@opnsense:/var/log/suricata #
stats.log
/var/log/suricata # tail -n 50 stats.log
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 19318
decoder.pkts | Total | 19318
decoder.bytes | Total | 5919169
decoder.ipv4 | Total | 16498
decoder.ipv6 | Total | 2806
decoder.ethernet | Total | 19318
decoder.tcp | Total | 16479
decoder.udp | Total | 2611
decoder.icmpv4 | Total | 166
decoder.icmpv6 | Total | 43
decoder.teredo | Total | 2
decoder.avg_pkt_size | Total | 306
decoder.max_pkt_size | Total | 1506
flow.tcp | Total | 129
flow.udp | Total | 255
flow.icmpv6 | Total | 15
tcp.sessions | Total | 109
tcp.syn | Total | 120
tcp.synack | Total | 136
tcp.rst | Total | 32
tcp.stream_depth_reached | Total | 1
tcp.overlap | Total | 4
app_layer.flow.http | Total | 45
app_layer.tx.http | Total | 47
app_layer.flow.smtp | Total | 6
app_layer.tx.smtp | Total | 6
app_layer.flow.tls | Total | 35
app_layer.flow.failed_tcp | Total | 4
app_layer.flow.dns_udp | Total | 220
app_layer.tx.dns_udp | Total | 220
app_layer.flow.failed_udp | Total | 35
flow_mgr.closed_pruned | Total | 20
flow_mgr.new_pruned | Total | 138
flow.spare | Total | 10002
flow_mgr.flows_checked | Total | 7
flow_mgr.flows_notimeout | Total | 5
flow_mgr.flows_timeout | Total | 2
flow_mgr.flows_timeout_inuse | Total | 1
flow_mgr.flows_removed | Total | 1
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65528
flow_mgr.rows_empty | Total | 1
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 2867200
tcp.reassembly_memuse | Total | 903192
dns.memuse | Total | 48189
http.memuse | Total | 7837
flow.memuse | Total | 6817024
--> decoder.icmpv6 | Total | 43
May there is icmp blocked ? But there is nothing in the logs.
Enable suricata => No problems, no Logs
Enable IPS Mode => No more IPv6 prefix for the lan (WAN IPv6 still exists), no Logs
I just enabled the four abuse.ch List - not more.
Suricata is running on WAN.
-
Perhaps your prefix is on one of the abuse lists. :)
-
I assume opnsense is showing a v6 address on its LAN, so dhcp6c is doing its job?
-
No IPv6 Address on the LAN side, only WAN.
Perhaps your prefix is on one of the abuse lists.
possible but very unlikely.
i disabled ALL rules now - enabled IPS Mode and all IPv6 Adresse on LAN are gone.
If i disable IPS Mode all IPv6 are back.
I also enabled the Syslog option. Thats the complete log:
Apr 11 12:16:47 suricata[95611]: [100109] <Notice> -- all 5 packet processing threads, 4 management threads initialized, engine started.
Apr 11 12:16:45 suricata: [100650] <Notice> -- This is Suricata version 4.0.4 RELEASE
Apr 11 12:16:45 suricata[37587]: [100123] <Notice> -- Stats for 'igb1': pkts: 6765, drop: 0 (0.00%), invalid chksum: 0
Apr 11 12:16:44 suricata[37587]: [100123] <Notice> -- Signal Received. Stopping engine.
Apr 11 12:15:57 suricata[37587]: [100123] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
Apr 11 12:15:55 suricata: [100179] <Notice> -- This is Suricata version 4.0.4 RELEASE
-
I cannot replicate this. On my VM test machine I have enabled IPS and IPv6 is fine on my LAN side.
Is this an upgrade or fresh install?
-
This is an Upgrade. Was fresh installed with 18.x branch 2 months ago.
I use VLAN on my LAN side. Maybe this is a point ?
How can i get some logs ? Suricata´s logs is not that helpfull (as you can see some post before)
-
Have you had it working at all on an earlier version?
As it works flawlessly on my test system using a VM with one WAN and two LAN's It would seem it may well have something to do with VLANs. I don't use them so cannot give you any advice there.
-
Have you had it working at all on an earlier version?
Not on OPNsense. It was a pfSense before ::)
Thanks for your help. Going to collect some info´s about.
-
But I had it running on 17.7.x without issues (after some fights and several releases) :)
-
Just a bump to add that I am also seeing the same or similar behavior. No VLANs, running on WAN interface.
Originally posted in
https://forum.opnsense.org/index.php?topic=8527.0
-
Any new info from the develpment team? Or should I open an issue in Github?
Still present on 18.1.8
-
I'm having a similar issue with a 18.7.4 (upgraded from 18.1.x). When switching on IPS mode, the internal interfaces immediately loose their IPv6 adresses, an the DHCPv6 fails to start. I'm seeing this log line:
dhcpd: /etc/dhcpdv6.conf line 10: expecting a parameter or declaration
Strange thing is.. that file doesn't even exist when IPS is off, but then DHCPv6 works flawlessly.
Anyone have a suggestion on this? Maybe it's an upgrade issue?
-
Can you post your dhcpd6.conf for both states?
You'll find it in /var/dhcpd/etc
-
Thanks for the hint.
IPS off:
option domain-name "localdomain";
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet6 2001:16b8:2e:39ff::/64 {
range6 2001:16b8:2e:39ff:0:0:0:0 2001:16b8:2e:39ff:0:0:0:0;
option dhcp6.name-servers 2001:16b8:2e:39ff:20d:b9ff:fe44:70ed;
}
subnet6 2001:16b8:2e:39ff::/64 {
range6 2001:16b8:2e:39ff::1000 2001:16b8:2e:39ff::2000;
option dhcp6.name-servers 2001:16b8:2e:39ff:20d:b9ff:fe44:70ee;
}
ddns-update-style interim;
IPS on:
option domain-name "localdomain";
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
{
}
ddns-update-style interim;
-
Interesting.
OK I can replicate this... I'll see what I can find.
-
Going to add this to an existing issue regarding IPS
-
I still have also the same problem. Yep, IPv6 completely disappear from the dhcpv6 config after enable IPS Mode.
IDS Mode works fine. So if you need any further test or logs i´m willing to help,too.
By enabling IPS Mode i get an error for every enabled Suricata Rule like this:
...
...
Oct 11 23:03:29 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 3477
Oct 11 23:03:29 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Oct 11 23:03:28 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 283
Oct 11 23:03:28 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
Oct 11 23:03:26 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
Oct 11 23:03:26 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4380
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4296
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4295
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4294
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4196
Oct 11 23:03:25 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Oct 11 23:03:24 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 3994
Oct 11 23:03:24 suricata: [100201] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
...
...
BrainStorming: Should the IPv6 Prefix also be listed as Internal Net -> $HOME_NET?
-
If you dig further you'll find that dhcp6c fails to contact the server, hence no IPv6 on the LAN. Already raised this as an issue on Github, but it's a very odd one. I've wiresharked the WAN and I can see the solicit packets on the WAN, but the server does not respond to them. If you switch IPS off, then the server responds.... very odd.
-
Already raised this as an issue on Github
Cool, thanks! Can you please post the link here ? I was unable to find it on github.
I've wiresharked the WAN and I can see the solicit packets on the WAN, but the server does not respond to them
Looks like Suricata is blocking the solicit packets and the dhcp6c will never get a IPv6 Prefix ?
-
All very peculiar.
https://github.com/opnsense/core/issues/1632 (https://github.com/opnsense/core/issues/1632)