Messages

I noticed that mine had shutdown itself due to high swap usage (as per message) - considering that nothing else had changed but the new version I was wondering what may have caused this - as it never shutdown itself previously

Hi @r4nd0m,

You can also update sensei from Sensei -> Status. You'll see a notification that a new release is ready.

Follow the on-screen instructions and you'll be done.

I am aware but this will be offered regardless and I assumed you worked with the team to issue the -netmap kernel - so any other upgrades offered will revert the kernel to the original one (via the UI), hence me flagging this

I was wondering the same especially as it would allow you also to show a block page if necessary

I did mention this before - I am offered upgrades but obviously this will also push the "generic" kernel which will lead to panics - is there an option to make the modified kernel supersede the "stock" kernel to avoid this?



edit: odd seems like you need to scroll the image to see all the detail...

https://i.imgur.com/dnjGPN8.png

@r4nd0m, thanks for the update.

found the issue ... looks like the package does not supersede the original package and will be pulled as an upgrade if upgrades are available leading to the boot loop

I suggest this gets another version number eg 20.7.2.1 so the upgrade wont be suggested back to the non patched kernel

https://i.imgur.com/nk5WZSg.png

ok, re-installed the kernel again, then sensei and its been stable so far - not sure what it was previously

FreeBSD 12.1-RELEASE-p9-HBSD

so this is the fixed, correct kernel?

FreeBSD host.name.xyz 12.1-RELEASE-p9-HBSD FreeBSD 12.1-RELEASE-p9-HBSD  3b652d8ad0e(master) SMP  amd64

whats the uname output of the "fixed" kernel?

I did install all available upgrades and ended up with a bootloop so selected previous kernel, disabled sensei 1.6 for the moment at boot while I figure out what I should be seeing ...

this is on ESX 6.7.0 (Build 9484548)

just for completion decided to grab the logs from /var/log/suricata/fast.log directly instead ...

I am trying to understand where in OPNsense the syslog format is set for suricata as it differs from the default ...

this is how it should look like

10/05/10-10:08:59.667372  [**] [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
  COMRaider ActiveX Control Arbitrary File Deletion [**] [Classification: Web
  Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068

but it converts to Sep 11 21:55:58 infinus.duckdns.org suricata[22702]:

May 5 10:08:59 host.name.com suricata[{PID}]: [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
  COMRaider ActiveX Control Arbitrary File Deletion [Classification: Web
  Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068

where is this modified - I had a look at the different templates but cant find it but would want to change it to default as is interferes with my syslog receiver which expects the default format ...

would rather revert this than needing to use the syslog-ng and directly forward the /var/log/suricata/fast.log - any hints?  ...

Hi @r4nd0m,

Yes, we are currently filtering out vmx/vtnet interfaces, because they cause OS to crash in netmap mode.

Stay tuned for 1.6, which is planned to be released this week/early next week. We enable these interfaces back; and instead of filtering out, you'll get a warning with a pointer to a netmap status page in case you're trying to use a problematic driver.

All these crash problems have been fixed in the test kernel, opnsense will be shortly shipping an official netmap kernel.

See here for the latest status: https://www.sunnyvalley.io/post/opnsense-kernel-netmap-status/

thanks for the heads-up so this is currently not applicable then for 1.5.2_1? https://help.sunnyvalley.io/hc/en-us/articles/360053347013-Deployment-Modes - I only see 2 modes Routed / Bridged ... Passive would be perfectly sufficient to test it out at the moment

well, I have just tried installing it - resulting in a crash - so I replaced the kernel with the experimental kernel which boots and wants me to install but it only allows me to select vmx0

but here my interfaces:

LAN (vmx1)      -> v4: 192.168.x.x
WAN (pppoe0)   -> v4/PPPoE: x.x.x.x/32 (which is the vmx0 hardware interface)

so not sure why the interface mapping is incorrect? any ideas?