Messages

Hello everyone,

I'm encountering an issue with my OPNsense setup. During the execution of the script sensor_info.py located at /usr/local/opnsense/scripts/etpro_telemetry/, I am getting the following error:

Error
configd.py

[9012173e-136c-437f-a308-a85a12274648] Script action failed with Command '/usr/local/opnsense/scripts/etpro_telemetry/sensor_info.py ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/etpro_telemetry/sensor_info.py ' returned non-zero exit status 1.

Has anyone else encountered this issue or can point me in the right direction to resolve it?

Type: opnsense-business    
Version: 25.10_2    
Architecture: amd64    
Commit: 89445f333    
Repositories: OPNsense (Priority: 11)    
Updated on: Thu Oct 23 18:59:03 CEST 2025


Hi,

I'm encountering an error in OPNsense related to Suricata, and I'm unsure where to report it or how to resolve it.
The error message I'm seeing is as follows:

 [109203] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE TA399/Sidewinder StealerBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MoFA/"; startswith; fast_pattern; pcre:"/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R"; http.header_names; content:!"|0d 0a|user-agent|0d 0a|"; nocase; reference:md5,b55f692ccc11496e2772705060f3d9d2; classtype:trojan-activity; sid:2864929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_10_17, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag TA399, updated_at 2025_10_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name exfiltration_over_C2_channel;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules at line 6545


also this error was logged too:

suricata
[109203] <Error> -- pcre2 compile of "/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R" failed at offset 35: digits missing after \x or in \x{} or \o{} or \N{U+}

This seems to be related to an issue with the parsing of a signature in the "emerging-malware.rules" file, specifically around the "Sidewinder StealerBot" CnC checkin detection.

Could anyone suggest where I should report this issue or if there's a specific fix I should apply? Is this a known problem with Suricata's signature parsing or OPNsense's Suricata implementation?

Thanks in advance for any help!

Nope its not working with a redirect rule.

Opnsense is using chrony plugin


My client which is running Ubuntu 25.10 is using by default Chrony with NTS.

If the 123/UDP redirect rule is active and my LAN client uses Chrony with NTS (Network Time Security), it won't work.

If the 123/UDP redirect rule is active and my LAN client uses Chrony without NTS, it works.

If the 123/UDP redirect rule is inactive and my LAN client uses Chrony with NTS, it works.


my setup

internet -> modem -> opnsense firewall -> router -> network devices



Output of my LAN client with Chrony and NTS and active 123/UDP redirect rule:

Code Select Expand

ubuntu@ubuntu:~$ sudo chronyc tracking
Reference ID    : 00000000 ()
Stratum         : 0
Ref time (UTC)  : Thu Jan 01 00:00:00 1970
System time     : 0.000000001 seconds fast of NTP time
Last offset     : +0.000000000 seconds
RMS offset      : 0.000000000 seconds
Frequency       : 2.169 ppm fast
Residual freq   : +0.000 ppm
Skew            : 0.000 ppm
Root delay      : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status     : Not synchronised
ubuntu@ubuntu:~$ sudo systemctl status chronyd
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
     Active: active (running) since Sun 2025-10-19 14:10:23 CEST; 18min ago
 Invocation: 8fc8127e9e5749de904bac3d8035352c
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
   Main PID: 9258 (chronyd-starter)
      Tasks: 3 (limit: 75408)
     Memory: 6.1M (peak: 7.3M)
        CPU: 221ms
     CGroup: /system.slice/chrony.service
             ├─9258 /bin/sh /usr/lib/systemd/scripts/chronyd-starter.sh -n -F 1
             ├─9270 /usr/sbin/chronyd -n -F 1
             └─9271 /usr/sbin/chronyd -n -F 1

Oct 19 14:10:23 ubuntu chronyd[9270]: Frequency 2.169 +/- 1.737 ppm read from /var/lib/chrony/chrony.drift
Oct 19 14:10:23 ubuntu chronyd[9270]: Loaded seccomp filter (level 1)
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 1.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added source 192.168.178.1
Oct 19 14:10:23 ubuntu systemd[1]: Started chrony.service - chrony, an NTP client/server.
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 2.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 3.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 4.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool ntp-bootstrap.ubuntu.com
Oct 19 14:10:39 ubuntu chronyd[9270]: Can't synchronise: no selectable sources (11 unreachable sources)


Hi everyone,

I'm trying to set up my network in a way that forces all NTP (Network Time Protocol) traffic to go through my OPNsense firewall so it can handle time synchronization via Chrony. Here's what I have so far:

I have Chrony installed and running on my OPNsense firewall.

Some of my devices on the network use Chrony as their NTP client with NTS.

I want to redirect all outgoing NTP requests from these devices to OPNsense, essentially forcing them to sync time through OPNsense.

I'm considering using NAT redirection and firewall rules similar to how DNS requests are handled, but I'm not sure if NTP traffic can be redirected in the same way.

Specifically, I have a few questions:

1. Is it possible to redirect NTP traffic (UDP port 123) to OPNsense using firewall rules and NAT?

2. Can OPNsense act as the sole time server for all devices in my network, and how would I set that up?

3. Since some of my devices use Chrony with NTS, will OPNsense be able to handle these requests, or do I need additional configuration?

Ideally, I'd like to accomplish this with something similar to the way DNS redirection works using firewall rules and NAT redirection to force all NTP traffic to go through OPNsense.

also my root user name is not root i was able to modify the username when setting up my system

I've created a github bug issue it can be found here: https://github.com/opnsense/core/issues/9246

I'm not very familiar with the codebase, but I don't see why adding OTP or other non-critical information to a user account should be restricted, especially when the username or other core fields aren't being altered. I understand that the root username itself should not be changed or deleted, but I believe users should still be able to modify other fields (like enabling OTP) without issues.

When attempting to enable OTP for my administrator account, I received an error indicating that the username cannot be changed, even though I didn't modify it only attempted to add OTP.

what about the business release?

Why is it happening? and how can i fix that?

System -> Firmware -> Mirror -> Deciso (HTTPS, NL, Commercial)
IPv6 -> disabled
Unbound DNS -> yes
Kea DHCP -> yes


System -> Firmware -> Run an audit -> Connectivity Check:

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.4.1 (amd64) at Sun Jun 22 14:06:02 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=55 time=37.200 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=55 time=22.135 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=55 time=23.714 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=55 time=22.244 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.135/26.323/37.200/6.311 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 875 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS ECC CA G1
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
***DONE***


Thanks for the suggestion. I actually already tried that using curl, but it didn't trigger anything in OPNsense.

Hey everyone,

I recently enabled Suricata IDS on my setup, and I'm running into a couple of issues that I'm not sure how to properly diagnose or fix.

First off, I'm not seeing any alerts, even though I suspect my network isn't totally clean.

I did enter the et_telemetry.token under Services > Intrusion Detection, and I can confirm Suricata is running.

However, just enabling it doesn't seem to make it actually do anything useful — or at least I'm not getting any alerts/logs that indicate it's catching threats.

Additionally, I'm seeing a bunch of flowbit-related warnings in the logs, like these:

Code Select Expand

2025-06-08T06:36:45 Notice suricata [100780] <Notice> -- Threads created -> W: 16 FM: 1 FR: 1   Engine started.
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2015657 and 0 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2025-06-08T06:31:39 Warning suricata [100780] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2025-06-08T06:30:32 Notice suricata [100780] <Notice> -- Syslog: facility local5, level Info, ident suricata
2025-06-08T06:30:31 Notice suricata [100460] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

It looks like certain rules are being loaded that rely on other rules setting flowbits that aren't active?

So I have a few questions I hope someone can help me with:

How can I confirm that Suricata is actively inspecting traffic and generating alerts correctly?
Is there a step-by-step tutorial or test method (e.g. safe malicious payload or simulated attack) I can use?

Do I need to manually enable or add the rules that set these flowbits? Or is this normal?

Is there a known-good ruleset I should be using (e.g. Emerging Threats Open vs. Pro) that avoids this issue?

Would appreciate any help or pointers — just trying to make sure this is actually working and not just burning CPU for no reason 😅

Thanks in advance!