Show Posts
1
General Discussion / Enabling IPS blocks traffic
« on: January 18, 2024, 12:20:36 am »
Greetings everyone,
I have installed OPNsense on my edge device (older Dell SFF - dual NIC). When I have the IPS enabled, it seems the signatures can update however, eventually without fail, my access to the web will be blocked or fail.
There is an error shown below, has anyone seen this before and know the fix to it? I have tried this three different times, separated by 2 weeks, to ensure it is the IPS service that is causing this.
Errors:
+++
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.tor.rules at line 1044
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)"
+++
Has anyone seen this before? Also, I noticed that when the IPS service is enabled, OPNsense tries to renew it's DHCP public interface address for some strange reason which also will halt traffic because the process fails to return a new or re-issued IP address from my ISP.
Anyone encountered this problem before? I have also removed and reinstalled OPNsense with the same results.
Thanks,
John
I have installed OPNsense on my edge device (older Dell SFF - dual NIC). When I have the IPS enabled, it seems the signatures can update however, eventually without fail, my access to the web will be blocked or fail.
There is an error shown below, has anyone seen this before and know the fix to it? I have tried this three different times, separated by 2 weeks, to ensure it is the IPS service that is causing this.
Errors:
+++
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.tor.rules at line 1044
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)"
+++
Has anyone seen this before? Also, I noticed that when the IPS service is enabled, OPNsense tries to renew it's DHCP public interface address for some strange reason which also will halt traffic because the process fails to return a new or re-issued IP address from my ISP.
Anyone encountered this problem before? I have also removed and reinstalled OPNsense with the same results.
Thanks,
John