Messages

There is a ton of stuff one can do with Kea? https://kea.readthedocs.io/en/latest/arm/hooks.html

https://github.com/opnsense/core/issues/7475

OPNSense > Netflow > external destination, Telegraf on a device with inputs.netflow configured-- output is Influxdb, but I do not see *any* data, data, in the bucket.

The bucket is being written to, but that is only Netflow type of stuff?

Not exactly what I am after (I want to have the same in influxdb visualized in Grafana), but there is no metadata coming in. I am very puzzled. It throws an error in the beginning, missing template-- but that stop after a while.

However, there is no actual metadata flowing in. 

I think you would have to do a packet capture in order to retriever the template

https://forum.opnsense.org/index.php?topic=5418.0

Look at the latest comments https://github.com/opnsense/core/issues/7475

Verify you have configured a domain in OPNsense:
OPNsense > System > Settings > General

Check to see whether your configured a domain under Domain Options in Kea DHCP > Kea DHCPv4 > (relevant) Subnet

From a client, try to ping the hostname (PC123456). Does it work?
From a client, try to ping the fqdn (hostname + domain, PC123456.domain.com). Does it work?

View the contents of host_entries.conf and dhcpleases.conf, under /var/unbound/

There is a fairly recent comment on the GitHub url you provided.

host_entries.conf contains static mapping; if you reserve a ip address for a MAC in Kea DHCP and also enter something in the hostname column.
Kea Dhcp does not communicate with Unbound in regard to dynamic entries, however, look at the script provided which utilizes hooks-libraries provided in Kea.

Yay, ChatGPT to the rescue.

So I learned today that Wazuh basically only lists *alerts*.

I confirmed that Wazuh receives events from eve.json by kind of following https://benheater.com/integrating-pfsense-with-wazuh/

Wazuh > Server Management > Rules > Add new rules file

Suricata-Overrides.xml

Code Select Expand

<!-- Modify it at your will. -->

<group name="ids,suricata,">

    <!--
    {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}
    -->
 
    <rule id="86604" level="7" overwrite="yes">
        <if_sid>86600</if_sid>
        <field name="event_type">^tls$</field>
        <description>Suricata: TLS.</description>
    </rule>

</group>

Then I could go Wazuh > Explore > Discover and under wazuh-alerts-* index filter by "rule.id: 86604", and I saw TLS type of events.

Maybe I am not understanding this, but, I thought I could go to Wazuh > Threat intelligence > Threat Hunting and get an overview over Suricata events, however it does not seem to pick up any events from /var/log/suricata/eve.json?

OPNsense firewall version:

Code Select Expand

Versions
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
os-wazuh-agent installed on OPNsense firewall:

Code Select Expand

os-wazuh-agent (installed) 1.2 40.4KiB 3 OPNsense Agent for the open source security platform Wazuh
Wazuh (LXC container installed by helper script: https://community-scripts.github.io/ProxmoxVE/scripts?id=wazuh):

Code Select Expand

4.11.2
The agent installed on the firewall is marked as active in Wazuh.

Configuration file for agent installed on firewall:

Code Select Expand

cat /var/ossec/etc/ossec.conf
<ossec_config>
  <client>
    <server>
      <address>192.168.1.12</address>
      <protocol>tcp</protocol>
      <port>1514</port>
    </server>
    <crypto_method>aes</crypto_method>
    <enrollment>
      <port>1515</port>
    </enrollment>
  </client>

  <client_buffer>
    <!-- Agent buffer options -->
    <disabled>no</disabled>
    <queue_size>5000</queue_size>
    <events_per_second>500</events_per_second>
  </client_buffer>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <response_timeout>30</response_timeout>
      <queue_size>16384</queue_size>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Log analysis -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/opnsense_syslog.log</location>
  </localfile>

  <!-- Suricata -->
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>


  <!-- Active response -->
  <active-response>
    <disabled>yes</disabled>
  </active-response>


</ossec_config>

The necessary permissions are in place on the firewall, as root is running the 'wazuh-logcollector'- which is presumably able to read /var/log/suricata/eve.json?

Code Select Expand

ps aux | grep wazuh
root        35464   0.0  0.1   49484   16068  -  S    21:32       0:05.04 /var/ossec/bin/wazuh-logcollector
root        86633   0.0  0.0   23596   12032  -  I    21:32       0:00.00 /var/ossec/bin/wazuh-execd
wazuh       90197   0.0  0.1   39936   14848  -  S    21:32       0:35.77 /var/ossec/bin/wazuh-agentd
root        95620   0.0  0.1   46636   17808  -  SN   21:32       0:12.82 /var/ossec/bin/wazuh-syscheckd
root        92113   0.0  0.0   13748    2036  1  S+   23:14       0:00.00 grep wazuh
Additional Information, group membership for user wazuh:

Code Select Expand

id wazuh
uid=309(wazuh) gid=309(wazuh) groups=309(wazuh)
File permissions for eve.json:

Code Select Expand

ls -al /var/log/suricata/eve.json
-rwx------  1 root wheel 15899978 Apr  5 23:16 /var/log/suricata/eve.json
There are active events being logged to eve.json- although they are not of "event_type":"alerts", but rather "event_type":"tls":

Code Select Expand

tail -f /var/log/suricata/eve.json
{"timestamp":"2025-04-05T23:18:25.645024+0200","flow_id":434493063789884,"in_iface":"vtnet1","event_type":"tls","src_ip":"p.p.p.p","src_port":13938,"dest_ip":"z.z.z.z","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}
{"timestamp":"2025-04-05T23:18:25.740509+0200","flow_id":285055222499977,"in_iface":"vtnet1","event_type":"tls","src_ip":"x.x.x.x","src_port":14301,"dest_ip":"y.y.y.y","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}

Yay, I got it working.

Code Select Expand

pkg install -f -r OPNsense libgcrypt libgpg-error
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
libgpg-error: 1.48 -> 1.50 [OPNsense]

Installed packages to be REINSTALLED:
libgcrypt-1.11.0 [OPNsense]

Number of packages to be upgraded: 1
Number of packages to be reinstalled: 1

168 KiB to be downloaded.

Proceed with this action? [y/N]: y


It is already below 11?

# grep priority /usr/local/etc/pkg/repos/*.conf
/usr/local/etc/pkg/repos/OPNsense.conf:  priority: 11,
/usr/local/etc/pkg/repos/SunnyValley.conf:  priority: 7,

Code Select Expand

/usr/local/etc/rc.d/ntopng start
Certificates generated /usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem
Starting ntopng.
md5sum: invalid option -- q
usage: md5sum [-bctwz] [files ...]
usage: grep [-abcDEFGHhIiLlmnOopqRSsUVvwxz] [-A num] [-B num] [-C num]
[-e pattern] [-f file] [--binary-files=value] [--color=when]
[--context=num] [--directories=action] [--label] [--line-buffered]
[--null] [pattern] [file ...]
xargs: md5sum: terminated with signal 13; aborting
01/Sep/2024 02:01:59 [Ntop.cpp:4052] WARNING: Unable to find timezone: using UTC
01/Sep/2024 02:01:59 [Redis.cpp:171] Successfully connected to redis 127.0.0.1@0
01/Sep/2024 02:01:59 [Redis.cpp:171] Successfully connected to redis 127.0.0.1@0
ld-elf.so.1: /usr/local/lib/libgcrypt.so.20: Undefined symbol "gpgrt_add_post_log_func"
/usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng

Code Select Expand

find /usr/local/lib -name "libgcrypt.so*"
/usr/local/lib/libgcrypt.so
/usr/local/lib/libgcrypt.so.20
/usr/local/lib/libgcrypt.so.20.5.0

Code Select Expand

pkg install -f libgcrypt libgpg-error
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
libgcrypt-1.11.0 [OPNsense]
libgpg-error-1.48 [SunnyValley]

Number of packages to be reinstalled: 2

1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/2] Fetching libgcrypt-1.11.0.pkg: 100%  818 KiB 837.5kB/s    00:01   
[2/2] Fetching libgpg-error-1.48.pkg: 100%  361 KiB 369.5kB/s    00:01   
Checking integrity... done (0 conflicting)
[1/2] Reinstalling libgpg-error-1.48...
[1/2] Extracting libgpg-error-1.48: 100%
[2/2] Reinstalling libgcrypt-1.11.0...
[2/2] Extracting libgcrypt-1.11.0: 100%

Still unable to start ntopng. That is a bummer.

Code Select Expand

opnsense-version
OPNsense 24.7.3_1


Code Select Expand


2024-08-27T00:48:43 Warning ntopng 27/Aug/2024 00:48:43 [Ntop.cpp:3890] WARNING: Unable to find timezone: using UTC
2024-08-27T00:48:40 Notice root /usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng
2024-08-27T00:48:40 Warning ntopng 27/Aug/2024 00:48:40 [Ntop.cpp:3890] WARNING: Unable to find timezone: using UTC
2024-08-27T00:47:27 Notice root /usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng
2024-08-27T00:47:27 Error ntopng 27/Aug/2024 00:47:27 [Redis.cpp:157] ERROR: to specify a redis server other than the default
2024-08-27T00:47:27 Error ntopng 27/Aug/2024 00:47:27 [Redis.cpp:154] ERROR: Please start it and try again or use -r
2024-08-27T00:47:27 Error ntopng 27/Aug/2024 00:47:27 [Redis.cpp:153] ERROR: ntopng requires redis server to be up and running
2024-08-27T00:47:26 Error ntopng 27/Aug/2024 00:47:26 [Redis.cpp:98] ERROR: Connection error [Connection refused]
2024-08-27T00:47:25 Error ntopng 27/Aug/2024 00:47:25 [Redis.cpp:98] ERROR: Connection error [Connection refused]
2024-08-27T00:47:24 Error ntopng 27/Aug/2024 00:47:24 [Redis.cpp:98] ERROR: Connection error [Connection refused]


After latest update. ..
Tried stopping and starting redis, tried to stop and start ntopng, tried to reset Redis as well. Tried a reboot.

And ideas?

Yeah, no bueno-- I tried to stop Zenarmor, it did not work.

I believe it is not a feature which is fully integratred yet, with KEA:
https://github.com/opnsense/core/issues/7475

I believe NSD would have to be the Authorative DNS nameserver and KEA should send updates to the NSD server which will update the relevant zone. And then one would have to restart Unbound under each update.

http://troubleshooters.com/linux/unbound_nsd/nsd.htm

Anyone being able to ping hostnames instead of IP adresses, when KEA is utilized? The only host which is able to resolve is the firewall itself.

I am using KEA DHCP.
I am using Unbound DNS.

I am unable to ping any machines on my network through Ping utility embedded in the OPNsense GUI, when trying to ping the hostname. Pinging the IPv4 address works as expected.

From a client on the network, hostnames does not resolve.

Except the firewall itself, that one works (I can ping "firewall" and "firewall.domain.com" and I get a reply.
This works from both client and from OPNsense itself).

There is no logging besides "Informational" in the Kia DHCP Log File section.
There are no relevant information in the Unbound log.

Register ISC DHCP4 Leases: CHECKED
Register DHCP Static Mappings: CHECKED

System > Settings > Administration
DNS Rebind Check: Disable DNS Rebinding Checks. Tried UNCHECKED here.

Does not KEA communicate DDNS entries?

:)