Messages

1

Intrusion Detection and Prevention / Struggling with Suricata

« on: July 15, 2021, 12:09:47 pm »

I'm struggling with suricata quite a long time. I activated it today since long time ago again and I reckon that's not working properly. I'm sending all logs to pfelk and my kibana log is empty. If I check the Alerts Tab in Intrusion Detection --> Administration --> Alerts the last shown log entries are back from 2019.

My config looks like the following.

There are a lot of threads in this forum and I also checked the Wiki from opnsense. Could you please help me, where should I start?

Thank you for your help.

Regards Manuel

2

21.1 Production Series / Re: Zigzag CPU Load

« on: May 27, 2021, 08:59:27 am »

Hello
After updating to newest release 21.1.5 on 23.05. 12:00 the CPU Load looks now different. As mentioned by gpb python3.7 is using quite a lot of CPU time.

Code: [Select]

last pid: 16333;  load averages:  0.79,  0.89,  0.89                                                                                                                         up 3+20:47:14  08:57:55
49 processes:  1 running, 48 sleeping
CPU:  2.8% user,  0.0% nice,  7.0% system,  0.6% interrupt, 89.6% idle
Mem: 53M Active, 1518M Inact, 461M Wired, 217M Buf, 2095M Free
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
17984 root          1  20    0    29M    20M select   2  35.3H   0.03% python3.7
88970 root          1  20    0  1048M  8424K select   2  10:52   0.14% openvpn
68332 root         11  20    0    39M  7824K nanslp   3   8:45   0.00% collectd
 8987 root          1  52    0  1037M  3332K wait     3   2:40   0.00% sh
90751 root          1  20    0    26M    11M select   2   1:53   0.04% python3.7
16747 root          1  20    0    21M    11M select   2   1:42   0.04% python3.7
90286 root          3  20    0    32M    11M kqread   2   1:33   0.08% syslog-ng
58694 root          1  52    0    54M    32M accept   0   1:29   0.97% python3.7

Greetings Manuel

3

21.1 Production Series / Re: Zigzag CPU Load

« on: May 26, 2021, 06:19:34 pm »

Hello gpb
Thank you for your answer and the link. This is it. 

Regards Manuel

4

21.1 Production Series / Re: Enable/Disable Alias or firewall rule with API

« on: May 23, 2021, 11:49:16 am »

Hello Astucky
Thank you for your answer. Will try this out.

Regards Manuel

5

21.1 Production Series / Zigzag CPU Load

« on: May 19, 2021, 11:59:59 am »

Hello
I have collectd running on my opnsense box which is a apu2e4 with 4 cores (AMD Embedded G series GX-412TC) and 4GB RAM. As you can see in my Grafana Graphics there is a zigzag of the CPU Usage. Normally the cpu load raises over 2 or 3 days continuously and then drops to 1%.

Does anybody know the reason for this or has made same observation?

Thank you very much for a hint.

Greetings Manuel

6

21.1 Production Series / Enable/Disable Alias or firewall rule with API

« on: May 14, 2021, 02:41:31 pm »

Hello
I managed to toggle a firewall alias to enable and disable through the api with postman. Unfortunately it seems, that after this change a firewall reload seems to be necessary. How can I do this through the api?

My goal is to enable/disable a firewall rule to block my kids devices completely from accessing the internet. For this reason I created a firewall alias with all ips of my kids devices and then I created a firewall rule using that alias as source.

I just want to enable/disable that rule or alias very quickly from my smartphone without accessing the web gui. Any advice is very welcome. 

Thank you for your help.

Greetings Manuel

7

19.1 Legacy Series / Re: Firewall rule for dedicated dmz network

« on: December 14, 2019, 12:24:01 pm »

Hello
Managed to create the following FW rules. It's now working :-)

Thank you for your help.

Manuel

8

19.1 Legacy Series / Firewall rule for dedicated dmz network

« on: December 13, 2019, 03:22:13 pm »

Hello
I'm trying to setup a separate dmz network (no dhcp). The goal is to have only Internet access from this network. No Access to LAN on this new network at all. How can I achieve this? I tried to configure the fw according to the opnsense how to "Setup a guest network" but I can't resolve host names at all and browse the internet.

What is wrong with my fw rules?

Thank you very much for your help.

Manuel

9

Intrusion Detection and Prevention / Re: IPS only shows allowed actions in alerts

« on: March 01, 2019, 07:49:03 am »

Hello together
I never managed to get IPS up and running on 18.7.9 and suricata 4.0.6. I still only see "Action allowed" in the Alert tab of  Intrusion Detection Administration whatever rules (abuse and some opnsense) I have activated. Hardware Offloading on NIC is disabled and WAN and even LAN interface is activated.

Any idea to get also some drop actions?

Thank you very much for your help.

Manuel

10

Intrusion Detection and Prevention / Re: IPS only shows allowed actions in alerts

« on: January 30, 2019, 08:35:29 am »

Hello xmichielx
Thank you very much for your answer. So only LAN instead of WAN should be selected in Settings --> interfaces  ? I currently only have WAN interface according to the opnsense Wiki selected.

I'll try this asap.

Greetings Manuel

11

Intrusion Detection and Prevention / IPS only shows allowed actions in alerts

« on: January 23, 2019, 09:25:36 am »

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

12

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 12, 2019, 01:00:01 pm »

Hello Franco
Yes, on my box IDS and IPS is enabled on WAN interface only.

Managed to update from 18.7 to 18.7.9 and WAN problems are gone. My internet connection to ISP is stable since some days.

Sorry that I can't assist you anymore but I couldn't find any error entries in dmesg or system.log when loosing IP address on WAN interface igb1.

Regards Manuel

13

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 10, 2019, 12:26:50 pm »

Hello Franco
Thank you for your detailed answer. I'll try this this evening.

Really appreciate your help and work.

Greetings Manuel

14

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 10, 2019, 10:35:04 am »

Hello Franco
Thank you very much for your explanation.

# opnsense-revert -r 18.7.9 opnsense

Didn't work for me and produced a

# Fetching opnsense.txz: .. failed

Maybe because of missing internet connection?

I still don't get the point how to upgrade from 18.7 to 18.7.9 now. Sorry about that.

Yes you're right, WAN DHCP does not keep its designated IP. That's the problem.

I also checked system.log after upgrading to 18.7.10 but couldn't see any hint why WAN is losing its IP address. Unfortunately I had to go back to 18.7 because I can't live without internet and I don't have another apu2 to play with.

Maybe someone else could provide more info out of log files to investigate this issue.

Thank you very much for your help I'm really a big big fan of opnsense! Very good work.

Greetings Manuel

15

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface

« on: January 09, 2019, 09:42:08 pm »

Hello
Made a fresh new 18.7 installation this evening restored backup and WAN IP seems to be stable. How can I now update from 18.7 to 18.7.9. The GUI wants to upgrade directly to 18.7.10. I can't select 18.7.9.

I even tried on the shell with opnsense-upgrade -r 18.7.9 but even then it seems that it will go directly to 18.7.10.

Code: [Select]

root@OPNsense:~ # opnsense-update -r 18.7.9
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (101 candidates): 100%
Processing candidates (101 candidates): 100%
The following 85 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        py27-yaml: 3.13
        squid3: 3.5.28_1
        radvd1: 1.15

Installed packages to be UPGRADED:
        ...
        pcre: 8.42 -> 8.42_1
        os-dyndns: 1.8 -> 1.11
        opnsense-update: 18.7 -> 18.7.10
        opnsense-lang: 18.1.7 -> 18.7.8
        opnsense: 18.7 -> 18.7.10
        openvpn: 2.4.6_1 -> 2.4.6_3
        openssl: 1.0.2o_4,1 -> 1.0.2q,1
        openssh-portable: 7.7.p1_6,1 -> 7.9.p1_1,1
        openldap-sasl-client: 2.4.46 -> 2.4.47
        ntp: 4.2.8p11_2 -> 4.2.8p12_3
        ...

Thank you for your help.

Greetings Manuel