Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Tenn-it

Pages1
#1
Intrusion Detection and Prevention / Re: IDS results in hundreds of errors like netmap_transmit hwcur hwtail
August 05, 2025, 03:10:22 PM
Thanks for responding!

No vLANs in use.

I did go to the two physical interfaces (WAN and LAN) and neither have "Promiscuous" enabled. Should I have them that way even if I don't have vLANs?

When I checked overwrite, I do see the three boxes for CRC, TSO, LRO offloading (which are unchecked). There is also a drop down for "Enable vLAN hardware filtering"...if no vLANs do I sent it for "Disable vLAN hardware filtering" or "default"?

Thansk again!!




#2
Intrusion Detection and Prevention / IDS results in hundreds of errors like netmap_transmit hwcur hwtail
July 13, 2025, 09:58:21 PM
I've had a VM running OPNsense 25.1.10 (amd64) with Suricata running for about three months. Recently, after a little while, I start getting thousands of errors like: "netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 50". It ended up bringing the virtual machine to its knees until I reboot the VM.

The VM has 20GB of RAM.

Anyone have any ideas?
Thanks!


Startup log below:
<173>1 2025-07-13T15:09:17-04:00 nam-of-the-idsserver suricata 25156 - [meta sequenceId="1"] [100755] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
<171>1 2025-07-13T15:09:28-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="2"] [100304] <Error> -- no terminating ";" found
<171>1 2025-07-13T15:09:28-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="3"] [100304] <Error> -- error parsing signature "alert tls $HOME_NET any -> any any (msg:"ET MALWARE Observed " from file /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules at line 40944
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="4"] [100304] <Warning> -- flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="5"] [100304] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="6"] [100304] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="7"] [100304] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="8"] [100304] <Warning> -- flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="9"] [100304] <Warning> -- flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="10"] [100304] <Warning> -- flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="11"] [100304] <Warning> -- flowbit 'ET.ErlangOTPBanner' is checked but not set. Checked in 2061797 and 1 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="12"] [100304] <Warning> -- flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="13"] [100304] <Warning> -- flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="14"] [100304] <Warning> -- flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="15"] [100304] <Warning> -- flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="16"] [100304] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="17"] [100304] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="18"] [100304] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="19"] [100304] <Warning> -- flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="20"] [100304] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="21"] [100304] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="22"] [100304] <Warning> -- flowbit 'ET.armwget' is checked but not set. Checked in 2024242 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="23"] [100304] <Warning> -- flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="24"] [100304] <Warning> -- flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="25"] [100304] <Warning> -- flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="26"] [100304] <Warning> -- flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="27"] [100304] <Warning> -- flowbit 'ET.generictelegram' is checked but not set. Checked in 2045614 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="28"] [100304] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="29"] [100304] <Warning> -- flowbit 'ET.WebDAVURL' is checked but not set. Checked in 2049320 and 2 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="30"] [100304] <Warning> -- flowbit 'ET.implantjs.syn' is checked but not set. Checked in 2060257 and 2 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="31"] [100304] <Warning> -- flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="32"] [100304] <Warning> -- flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="33"] [100304] <Warning> -- flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2023313 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="34"] [100304] <Warning> -- flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="35"] [100304] <Warning> -- flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
<173>1 2025-07-13T15:10:01-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="36"] [100304] <Notice> -- Threads created -> W: 2 FM: 1 FR: 1   Engine started.




Errors below:



<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="23"] <118>Root file system: zroot/ROOT/default
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="24"] <118>Wed Jul  2 15:40:40 EDT 2025
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="25"] <118>
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="26"] <118>*** nam-of-the-idsserver: OPNsense 25.1.10 (amd64) ***
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="27"] <118>
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="28"] <118> LAN (xn0)       -> v4: 192.168.0.2/xx
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="29"] <118> WAN (xn1)       -> v4: xx.xxx.xxx.xxx/xx
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="30"] <118>
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="33"] 285.766612 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="34"] 285.781603 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="35"] 285.794488 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="36"] 285.809834 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="37"] 285.844324 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="38"] 285.858629 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="39"] <6>xn0: permanently promiscuous mode enabled
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="40"] 285.887130 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:26-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="41"] 286.192069 [ 319] generic_netmap_register   Emulated adapter for xn0 activated
<13>1 2025-07-02T15:52:57-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="1"] 976.888029 [4335] netmap_transmit           xn0 full hwcur 558 hwtail 132 qlen 425
<13>1 2025-07-02T15:52:57-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="2"] 976.902846 [4335] netmap_transmit           xn0 full hwcur 558 hwtail 132 qlen 425
<13>1 2025-07-02T15:53:44-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="3"] 024.214751 [4335] netmap_transmit           xn0 full hwcur 938 hwtail 412 qlen 525
<13>1 2025-07-02T15:53:44-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="4"] 024.227159 [4335] netmap_transmit           xn0 full hwcur 938 hwtail 412 qlen 525
<13>1 2025-07-02T16:18:34-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="1"] 514.010592 [4335] netmap_transmit           xn0 full hwcur 417 hwtail 968 qlen 472
<13>1 2025-07-02T16:18:34-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="2"] 514.025031 [4335] netmap_transmit           xn0 full hwcur 417 hwtail 968 qlen 472
<13>1 2025-07-02T16:18:35-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="3"] 515.271374 [4335] netmap_transmit           xn0 full hwcur 15 hwtail 564 qlen 474
<13>1 2025-07-02T16:18:35-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="4"] 515.285723 [4335] netmap_transmit           xn0 full hwcur 15 hwtail 564 qlen 474
<13>1 2025-07-02T16:18:36-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="5"] 516.835447 [4335] netmap_transmit           xn0 full hwcur 223 hwtail 622 qlen 624
<13>1 2025-07-02T16:18:36-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="6"] 516.844906 [4335] netmap_transmit           xn0 full hwcur 223 hwtail 622 qlen 624
<13>1 2025-07-02T16:18:37-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="7"] 517.103792 [4335] netmap_transmit           xn0 full hwcur 908 hwtail 433 qlen 474
<13>1 2025-07-02T16:18:52-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="8"] 532.421643 [4335] netmap_transmit           xn0 full hwcur 619 hwtail 128 qlen 490
<13>1 2025-07-02T16:18:52-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="9"] 532.434464 [4335] netmap_transmit           xn0 full hwcur 619 hwtail 128 qlen 490
<13>1 2025-07-02T16:18:54-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="10"] 533.966516 [4335] netmap_transmit           xn0 full hwcur 469 hwtail 51 qlen 417
<13>1 2025-07-02T16:18:54-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="11"] 533.981784 [4335] netmap_transmit           xn0 full hwcur 469 hwtail 51 qlen 417
<13>1 2025-07-02T16:18:55-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="12"] 535.687712 [4335] netmap_transmit           xn0 full hwcur 284 hwtail 826 qlen 481
<13>1 2025-07-02T16:18:55-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="13"] 535.702045 [4335] netmap_transmit           xn0 full hwcur 284 hwtail 826 qlen 481
<13>1 2025-07-02T16:19:03-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="14"] 542.972322 [4335] netmap_transmit           xn0 full hwcur 799 hwtail 313 qlen 485
<13>1 2025-07-02T16:19:03-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="15"] 542.983285 [4335] netmap_transmit           xn0 full hwcur 799 hwtail 313 qlen 485
<13>1 2025-07-02T16:19:05-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="16"] 545.451038 [4335] netmap_transmit           xn0 full hwcur 33 hwtail 558 qlen 498
<13>1 2025-07-02T16:19:05-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="17"] 545.464260 [4335] netmap_transmit           xn0 full hwcur 33 hwtail 558 qlen 498
<13>1 2025-07-02T16:19:08-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="18"] 548.026341 [4335] netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 505
<13>1 2025-07-02T16:19:08-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="19"] 548.042121 [4335] netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 505
#3
High availability / Re: Is is possible to convert this setup to HA?
June 28, 2025, 06:12:23 PM
Thanks so much!!
I know this is a dumb question but what if I don't use DHCPD?
#4
High availability / Re: Is is possible to convert this setup to HA?
June 19, 2025, 12:21:30 AM
Thanks!
#5
High availability / Is is possible to convert this setup to HA?
June 18, 2025, 06:20:42 AM
I currently use Opnsense and have been for over a year. Previously I used Pfsense. The OPnsense setup is a VM and works great.

Currently, the Opnsense VM serves as the internet gateway for our network. It also has two public facing IP addresses. One is the WAN and one is a virtual IP address.

The two public IP addresses are static IP addresses and both have ports forwarded to internal devices.

These are the fictitious addresses:
LAN = 192.168.1.50
WAN=12.345.67/24
WAN2 (virtual IP)= 12.345.68/24

I don't have a third public ip address available.

Currently I have this VM installed on two hosts with identical setups. I can start one and it works, I can then stop it and start the other and it works. I just want to have it so that if one dies, the other will take over and vice versa.

Is that possible?

Thanks!
#6
25.1, 25.4 Series / Lockup: Kernel error netmap_transmit full hwcur 411 hwtail 411 qlen 1023
June 11, 2025, 03:40:16 PM
Last week, my OPensense VM locked up tight as a drum. When I looked at the VM, errros similar to below were flying by:

2025-06-07T09:55:48-04:00   Notice   kernel   548.746013 [4335] netmap_transmit em1 full hwcur 411 hwtail 411 qlen 1023   
2025-06-07T09:55:48-04:00   Notice   kernel   547.903036 [4335] netmap_transmit em1 full hwcur 411 hwtail 411 qlen 1023   
2025-06-07T09:55:47-04:00   Notice   kernel   547.324230 [4335] netmap_transmit xem1 full hwcur 411 hwtail 411 qlen 1023

I rebooted the VM and all was well.

Yesterday it happened again.
I run Zenarmor on the LAN and Suricata on the WAN.


Ive been using this same VM for almost a year and it has always worked great.

This info is on the dashboard


Versions
OPNsense 25.1.7_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16


Memory = 36.25%
Disk = 14%
Firewall states = 0.20%

Any ideas?

Thanks!

#7
Zenarmor (Sensei) / Zenarmor block google
February 23, 2025, 07:52:09 PM
I'm testing Zenarmor. AD DNS forwards dns requests to Opnsense which is running Zenarmor. As soon as Zenarmor starts, it will no machines can resolve google.com (or www.google.com); you can't go there with a browser nor can you ping it. If I stop Zenarmor, google.com starts working again.

If I log into Zenarmor and go to live sessions, there is nothing under threats or blocks that shows it being blocked.
Pages1