Messages

I occasionally look at the Live View log files.

Have created a filter for my one WAN interface, using Action!~Pass, (action does not contain pass).

I see blocks for IPv4 packets for GeoIPLite2, ProofPoint Emerging Threats and "Default deny / state violation rule."  All of these are for IPv4, I've never yet seen any IPv6 packets being blocked.

I do see IPv6 packets passing (example: Open a browser tab to YouTube), and have assumed IPv6 protections are in place and working but I've never seen any in the log files.

Am I missing something?

I have a repeatable issue I've encounter in a new 24.1 - 24.1.3_1 install that I want to sanity check here before reporting it in GitHub (which I've never done before). Does anyone else see this?

Three menu entries become inaccessible after I change the Static IP address of a LAN Interface.  If I roll back the Static IP to the default 192.168.1.1 the menu entries are accessible, i.e., normal operation.

The three menu entries and associated Fatal Error messages are:
o   system > Configuration > Backups
Fatal error: Failed opening required '/usr/local/www/diag_backup.php' (include_path='/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/opnsense/contrib:/usr/local/share/pear:/usr/local/share') in Unknown on line 0

o   Interfaces > Overview
o   interfaces > Assignment
Fatal error: Failed opening required '/usr/local/opnsense/www/index.php' (include_path='/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/opnsense/contrib:/usr/local/share/pear:/usr/local/share') in Unknown on line 0

Attached image shows the message.

My Notes:
- If I roll back the Static IP address to 192.168.1.1, and keep /16, the problem goes away and is not present.
- Issue occurs when you set the LAN Interface Static IP address via the Web GUI and via the Console Menu.
- Can be reproduced over and over, i.e. this sequence of changing the LAN Interface Static IP address:
  - 192.168.1.1/24  > Initial default configuration, no issues.
  - 192.168.41.1/16 > get Fatal Error
  - 192.168.1.1/16 > No issue, menu entries work as expected.
  - 192.168.41.1/16 > get Fatal Error
  - 192.168.1.1/16 > No issue, menu entries work as expected.
  - 192.168.41.1/16 > get Fatal Error
- An "in place" upgrade (23.7 > 24.1.3) does not get this error, have a device using 192.168.31.1/16 and all menu entries work as expected after upgrade.

I also got this when doing an update on a new, clean 24.1 system install. The very confusing part was at the end where it says it's installing 24.1.2.

Yet log messages above this showed Upgrading opnsense from 24.1 to 24.1.3_1.... And at the same time the console showed 24.1.3_1. 

Code Select Expand

!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-24.1.2-amd64.txz... done
Installing base-24.1.2-amd64.txz... done
Cleaning obsolete files... done
Please reboot.
***REBOOT***

Giving this more thought, I'd only want to alert when windowsupdate.com in in the URL.  All other values drop or block. 

Need to figure out how to do that.

I see two Emerging Threat alerts each time I ask windows to check for updates:

ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP

The alerts always have some long string ending with windowsupdate.com in the "http url" field.

I don't get why there is a detection rule on this.

Suricata doesn't know when a windows host requests an update (I presume) and so cannot detect a legit incoming windows update from a real threat.  Other than seeing the entry in the threat log and deducing it's ok based on how frequent it's in there and time of day what more should one do when seeing these alerts?

However before downloading the config of my bare metal, I upgraded to 24.1.1 to avoid differences...

Good tip, thanks.

This question is for 24.1.x release, coming from 23.7.12_5.

If I were to do a clean install of 24.1.x and import a 23.7.12 configuration, as opposed to upgrade "in place" what do I have to setup, install or configure manually? 

GeoIP/MaxMind setup? schedule? rules etc.?
Intrusion Detection emerging threats telemetry? License? Rulesets? Disbaled and Enabled Rules? etc.
Not using ZenArmor.
Firewall log file viewing templates?
Additional users, roles passwords?

1. Alerts
2. Alerts
3. Drops

Thanks.

I now see where this is stated in the documentation, here, this statement for ISP Mode:

When enabled, the system can drop suspicious packets. In order for this to work, your network card needs to support netmap. The action for a rule needs to be "drop" in order to discard the packet, this can be configured per rule or ruleset (using an input filter).

That all rule sets and rules download with Alert, none with Drop, it what was confusing.

I'm old and slow on some of these points.  Let me ask again:

When Intrusion Detection Enabled and IPS mode=Disabled:
1. What does a rule with Action = Drop do?

When Intrusion Detection Enabled and IPS mode=Enabled:
2. What does a rule with Action = Alert do?
3. What does a rule with Action = Drop do?

Extra credit:
4. Is there a way (an easy way) to test any of these cases?  I already have done the eicar test file with the eicar test rule.

Main question: What purpose does the setting enable "IPS Mode" serve when all rules (that I am able to download) default to alert?

And, to add to my confusion:

• If I change (via a policy) some rules to have action = drop (per here), do I also need IPS mode to be enabled? Or will the drop also occur in IDS mode? I can't test any of this and I cannot find a clear answer in the documents.
  
• Does IPS mode somehow override all "drop" actions and make them "block"? 
  
• 
  Is there a precedence, IPS mode over Action = Block?
  

Some background (call it my 'dumb user' use case):
I followed the instructions at 25:16 to 29:25 in this video. I understand that things have changed since Oct 2020. Specifically the "Enable (drop filter)" button is no longer present where you download rules, replaced with a menu entry for Policy where you can set a policy affecting any number of rules, all of which is good because it seems to give much greater granularity. 

However, for every rule I can get -- all the base rules plus the etpro-telemetry via the plugin + a free token -- all 113,685 of them, are created with action = alert. None (as in zero) get created with action = block. Is this correct? If it is correct, and if IPS mode does not override any action = alert, then ... I'm very confused how everything (rules, newly downloaded rules, and ISP mode) is intended to work together.