Messages

Hello,

Since an accidental electric shutdown, I've got an issue with flowd_aggregate.py

flowd start, insight gives me datas, but I'm flooded with this kind of errors:

Code Select Expand

# clog /var/log/system.log | grep flowd

/flowd_aggregate.py: flowparser failed to unpack proto_flags_tos (unpack requires a buffer of 4 bytes)
/flowd_aggregate.py: flowparser failed to unpack octets (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack if_indices (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack as_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack flow_engine_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack recv_time (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack octets (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack if_indices (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack as_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack flow_engine_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack tag (unpack requires a buffer of 4 bytes)
/flowd_aggregate.py: flowparser failed to unpack recv_time (unpack requires a buffer of 8 bytes)

I tried to "repair netflow data" in settings menu: no change, still these errors.

If I try "reset netflow data", I lose everything ?

Very kind reboot, did not help ...

Have you got some idea ?

Thanks a lot !
bmail

Edit:
Solved in accepting losing insight datas with a "reset datas". Datas corrupted probably ...

Ok, it works !
Just erasing without scruple jurlbla.ndb and unable it in signatures config, then restart clamav, then activate jurlbla.ndb and restart clamav.
Download is ok and clamav, even outdated, restart like a charm.
Probably an issue during downloading.

Thanks a lot for your advices.

Bertrand

Hello Darksense,

Yes, I notice it, but it seems strange that's only concern one third party database ...
Previously, I never notice that an issue on a third party database could prevent clamav to start.

That' why I wonder how to disable the loading of jurlbla.ndb (or properly erase it) , in order to start clamav.

Best regards,
Bertrand

Hello,

Since today, the last download of a clamav third party database (http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb), Clamav do not want to start. This database seems not in good health ...

root@DBSecure:~ # /usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
LibClamAV Error: Empty database file
LibClamAV Error: Can't load /var/db/clamav/jurlbla.ndb: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database /var/db/clamav/jurlbla.ndb
Thu Feb 13 11:00:21 2020 -> !Malformed database
/usr/local/etc/rc.d/clamav-clamd: WARNING: failed to start clamav_clamd

I tried to de-activate it within the list of additionnal signature, and restart clamav: it doesn't work.
Probably normal, as it concerns the download and refresh of database, not the calling of if in clamav.

Do you know how can I purge the database in order to restart clamav without this problemaic third party database ?

Just erase /var/db/clamav/jurlbla.ndb  ?

Thanks a lot for any ideas !

Yes, I think I'm going to transform the wifi router into AP. I don't really need to make NAT for wifi devices.

But, definitely, I don't understand why (sometimes) I see wifi devices's ip on WLAN interface on Opnsense, while these devices are behind a router which must achieve NAT !
Wifi router is an ASUS with Merlin firmware.
And this behaviour is not permanent, hopefully ! And always towards google ip. Strange, no ?

Anyway, thanks for your advice.

Hello,

Thanks for your answer.
I thought it was strange because the wifi router IS a router, with NAT.
My opnsense rules allow trafic from WLAN net (10.1.2.100/24) , so in fact, one ip adress: the one the wifi router (10.1.2.99). It works perfectly like this.
But, I thought that WLAN interface of opnsense could'nt see device behind the wifi router as it's not the same network (10.1.55.0/24).

Perhaps I should configure the router as AP ? It could be more simple, rather than doing another NAT ?

Hello,

Not directly related with Opnsense, but a strange behaviour on my network.
Perhaps someone could help me to understand what's the issue:

I use Opnsense with 3 intefaces (LAN, WAN, and WLAN). WLAN is a wired interface connected to the WAN port of a wifi router Asus.
Wifi router is configured as router (not AP) for wifi devices (android phones for example), with DHCP .

So: WLAN (opnsense): 10.1.2.100
WAN of wifi router: 10.1.2.99 with default gateway 10.1.2.100
LAN of wifi router: 10.1.55.100/24
WIFI devices with DHCP: 10.1.55.6x/24

Wifi devices have access to internet via opnsense, but sometimes, I see weird log on opnsense:

Action: block
interface: WLAN
Source: 10.1.55.6x
Destination: very often a google ip (216.58.2018.100 for example)

For WLAN interface, I have some rules as :
Accept WLAN net    *    Ce Pare-feu    53 (DNS)    *    *
Accept  WLAN net    *    *    443 (HTTPS)    *    *
and so on....

And the last:
Block *    *    *    *    *    *

I can't undestand why, WLAN receive and block (naturally) packets from wifi devices (10.1.55.6x). WLAN should not see them.

If somebody can explain to me this fact ....

Thanks a lot in advance.

I suppose you tried to copy the current main.cvd at this place and restart clamav ?

Hello,

Did you try some other 3rd Party ClamAV signatures ?

For example from sanesecurity (https://sanesecurity.com/usage/signatures/) with files located here:
http://ftp.swin.edu.au/sanesecurity/

Just to test if freshclam is broken.
As for me, it's ok, just rogue.ndb renamed to rogue.hdb, so obviously, file could not be updated. This issue solved, all official and 3rd party signatures just fine update.

Just an idea.

Hi mimugmail,

Thanks a lot for this explanation.

Phew !

best regards,
Bertrand

Hi,

I don't think so. Just detection.

Regards

Hello,

I use 19.7.4 and Maltrail.

Could somebody explain to me how  does the geoip database is updated ?

I used (since OPNsense 18.1) to use Geoip with an alias and a rule for indound wan interface in first position. And now, I try Maltrail  and I notice lots of "malicious traffic" coming from China and Russia... However, nothing personal, but my geoip alias and firewall rule is supposed to block these countries.

I wonder if my firewall rule is really applied ... Or if these ip are recently affected to these countries and my geoip database is not really updated.

Does Geoip database is updated with the cron task "update and reload firewall aliases" ?  I've already got this cron task.
Is it relative with GeoLite Legacy databases discontinued on January 2 ?

Thanks a lot for any advice.
Bertrand

OK, thanks to all !

I'm going to test openvpn and squid ssl inspection within a test environment.

Have a good day.
Best regards
Bertrand

Hello Chemlud,

Thanks for sharing your experience.
For the moment I use unbound without TLS, so that should work.

But, can I now, safely, switch (in the gui) to  LibreSSL without breaking anything. I suppose this will be taken into account after the next update, and not right now.

Thanks.

Hello,

Small and perhaps silly question:

Is it possible and safe to swith from OpenSSL to LibreSSL for the choice of the firmware cryptography flavour (firmware > parameters) ?

Present Release: 19.1.6 running with OpenSSL

Purpose: to get closer to the work of OpenBSD team.

Thanks a lot for your advices