Messages

I'm using OpnSense 18.7.10 (haven't upgraded yet due to the kernel panic issue).

There the Suricata rules are stored in these two folders:

/usr/local/etc/suricata/rules/
/usr/local/etc/suricata/opnsense.rules/

Not sure if  both are needed...

I also add my custom rules files names to /usr/local/etc/suricata/installed_files.yaml

For me it was the same, almost all alerts disappeared when I upgraded to Suricata 4.1.2. I found that the OISF/suricata rules disappeared when I upgraded. That rules set makes a lot of noice especially if you have the STREAM rules enabled, but many of them I find very useful.

Some rules didn't load properly with 4.1.2 when I downloaded them manually, so I added my own STREAM rules based on the rules in that rules set.

The OISF/suricata rules can be found here:
https://github.com/OISF/suricata/tree/master/rules

We checked the firewall aliases GeoIP and it uses the version 2 database so we're good on this front. Best to migrate now... :)


Cheers,
Franco

Super, thanks franco! Migration done! :)

Hi,

I found that to remove the rules you have to delete them manually in:

/usr/local/etc/suricata/opnsense.rules/

When I remove them through the web GUI it only removes the copy of rules inside /usr/local/etc/suricata/rules/.

Then restart suricata and the deleted rules should be gone from the list in the web GUI .

Thanks for the info! I will use firewall for geoblock then:-)

Thanks for the tip! I will try that.

Thanks, I have done that for the most intrusive ones earlier, but I have a list with over 9000 IP addresses.

I tried to add them directly in the config.xml file, but then I can't open that alias in the webb GUI.

Hi

Anyone else having problems with geoip rules in Suricata 4.2.1? Every time I try to load a rule with geoip Suricata throws an error...

Hi

I'm wondering if there any way to add a list of IP addresses to the firewall blocklist?

Don't know if this is the right section to drop this...

When I look at Alerts in the IDS section it always says:

'Showing 1 to 7'

no matter of how many I 've chosen to view. In the example attached there are 49 alerts being shown.

Yes, I got these errors (and a bunch more...):

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4199

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

All of them had the [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]

Hi,

I'm using OpnSense 18.2_2. I've been using snort rules set snortrules-snapshot-29111.tar.gz for a while now and all has been fine.

When downloading the new snort rules set snortrules-snapshot-3000.tar.gz no snort rules load. If I look at the download page they seem to be downloaded fine, but looking at the rules tab no snort rules appear. So my question is: Are the new rules not compatible with Suricata, anyone know?

I can confirm, that it's not possible to manually download the rules. I had to install a fresh opnsense 18.1 after trying to update via GUI from 17.7.
Then I tryed to download the IPS rules, but nothing happens.

Did you try the quick fix:

Code Select Expand

pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/17.7/latest/All/py27-openssl-17.3.0.txz

Worked for me:-)

Hi,

I would like to come with a suggestion for the IDS rules page:

To add another filter, enabled/disabled rules

That would make it so much easier to find the disabled rules within a huge rules class type (like trojan-activity).

I finally got all the rule sets down after a few more go's.

Thanks for the help!