Messages

Is Suricata processing encrypted traffic? I mean you are probably exceeding the memory limit of suricata but I have never seen it happen with encrypted traffic.

Maybe ... but i don't know how to handle this.
It happend on a simple HTTPS Swisstransfer, but the issue also happening with a simple FTP passive transfer. Not crypted.

Thanks for your reply. Maybe i should specify my intention.
I tried to add an extra level of protection for the external traffic goes into the LAN traffic.
To be clear, i have a business licence for our DEC4240, and i've got an OPNWAF service for an internal tool, working on PHP/laravel.
I now the WAF already achieve a good protection.

I also have 2 others computers (isolated in a DMZ subnet) which can be contacted thru an inbound NAT rule.

I had setup the IDS for some month, and after download some recommanded rules, enable some.
I discovered in the alert tab, there is a Zmap scan alert, about twice a day to the WAF appliance.
I enable IPS, and change the behaviour to block those scans.

That's why i enabled the WAN interface.

To be honest the IDS/IPS is a kind of something complex to me. Maybe i don't need the IDS/IPS.
It's maybe an overkill protection with both firewalling and the IPS on the same inbound way.
Maybe just need the IPS for the inbound to outbound traffic ?

I already read the provided manual, to setup the OPNsense and to understand the particular concepts.
We don't use IPv6, either on WAN or LAN sides

If you have something to clear my mind :-)
Thank you

Hello, thanks for reply. Of course, i started with IDS for few month, only some Zmap alerts, that's why i enable IPS.
There is no alert regarding this particular issue. That's why, it's strange.

The AI told me it need a bypass rule for large files or to adapt Stream Reassembly or depth or memcap.
And also told me this is relative to the engine of Suricata, not to a rule.
But as far as i know, editing the yaml file is not persistent to a reboot.

Do you have any idea ?

Hello,

Sorry if this issue was already discussed, but i didn't found any relative topics.
I activate IPS 2 weeks ago because i discovered some MAP scan on my OPNWAF, and decide to block them.

From them i discovered an issue. Now i'm sure it's relative to IPS, because when i disable it, this issue gone away.

Last week, i started to download a 2,9 Gb video file with SwissTransfer in Chrome (HTTPS) and the transfer stay at 99,9%. Never complete.
I suspected a file issue because i downloaded an other video file minutes before, but only 10Mo.

Yesterday for the second time, an automated FTP download script failed at the end of the download.
I can reproduce the error with the same file in FileZila, on an other computer, but behind the same OPNsense.

After doing some search i can now affirm that IPS is responsible for that. My discoveries told me there is a TCP time session/file size relative to the IPS paquet analyze.

I tried to change the detection profile to high (recommended by IA)
I only monitor WAN interfaces, no Promiscuous mode, i disable all hardware offloading.
Now i cannot find a workaround.

Do you have any idea for me ?

Hello Abdullah,

during the debuging process, to look after what happens, i checked all the IP i used to test the inbound access thru GeoIP.
There was an Orange 5G, Proximus 5G, Proximus home VDSL, Colt pro VDSL and Proximus explore pro Fiber.
All that IP where in your database (thru the website) and correctly BE flagged.

But as i said, the txt file present in the OPNsense repository (there was also an MD5 file, so i'm aware there is an integrity verification) contains only a few amount of V4 IP, but a bunch of V6.

Here's again the copy of the mentioned file : https://uploadnow.io/f/Qzn9R5G

I used the python script to force again downloading, and the file was still the same.

I don't know why when i created a new list in the OPNsense aliases, the content tuned ok.

Hello Abdullah,

As others explained, it was concerning a bunch of IP address. And in my case, testing a lot of Belgian (verified) IP address from different providers.
I don't know if it was OPNsense parsing method or the CSV file corrupted. But there was a serious issue.
File was not complete. As i said, for exemple in Belgium, ip range was limited to the 5.x.x.x
We solved the issue by creating a new white liste in our appliance.

Then go to "Firewall - Aliases" and create a new alias that contains Belgium.
After saving and apply, go to "Firewall - Diagnostics - Aliases" and check the contents of the alias you just created.

I just did it, and the problem was solved ! Thank you for your help.

I thing robvdw was right, there was an issue at ipinfo yesterday.

I've asked IPinfo to take a look. Also make sure the maximum table entries value is not too small.


Cheers,
Franco

Of course, i'm only at 3%

Maxmind or IPinfo? Anyway, this is not an opnsense issue :( It must be reported to the provider.

I already get in touch with Robert at Decisio about that specific issue.

I downloaded the Belgian white liste, it contains almost only IP V6.
Only some V4, but as the list is in alphanumerical order, i can see, nothing more after 5.x.x.x is listed ...

Take a look : https://uploadnow.io/f/Qzn9R5G

Hello, i'm on 25.10.1_2 business Version.
Today, a road warrior user told me he can't connect anymore to VPN server.
I tried on cellular with the same issue.
I found the problem. It's GeoIP. I only give access to Belgian IP (BE). When disabled, it works again.
The geoip database was updated about 15 minutes ago. In the alias IP list (diagnostic/alias) i cannot found any of my belgian (verified) IP adsresses.
I temporary add a whitelist for my user to let him work. But he's behind a dynamic IP internet connexion. I will add his new IP when change.
Does anyone know if the provider of the business GeoIP list has an issue today ?

Hello,

Hope my question wasn't already asked, but i didn't found any exact situation.

I have 3 ISP connected, each monitored to a DNS IP (8.8.8.8/1.1.1.1/1.0.0.1)
Failover is working fine. But i'd like to receive and email when each connection goes down and when it goes up again.

The default gateway alert in the monit service settings only notify me when one is going down. If an other one is going down, i didn't received information. Of course, in this case, one connection is still available to send out the e-mail.

Is there anybody found a suitable option to monitor this crucial information ?