1
23.1 Legacy Series / Re: FRR - Severity Error
« on: June 30, 2023, 03:17:40 pm »
Thats fair. It is summer holiday. Enjoy.
Talk to you later !
Talk to you later !
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
23.1 Legacy Series / Re: Slow response for some websites (one or more request are very slow)
« on: June 30, 2023, 04:34:31 am »
Can you provide the site?
3
23.1 Legacy Series / Re: FRR - Severity Error
« on: June 30, 2023, 04:32:47 am »
Hey
So I ended up finding the issue. On pfsense there is a checkbox to configure logging for each routing protocol (log neighbor changes).
That is missing with the opnsense plugin - that checkbox.
The workaround is to go into the vtysh cli and configure it there but of course any reload of the plug-in wipes it out.
Long term solution is to update the plugin.
I’ve opened a GitHub request but it has stalled.
So I ended up finding the issue. On pfsense there is a checkbox to configure logging for each routing protocol (log neighbor changes).
That is missing with the opnsense plugin - that checkbox.
The workaround is to go into the vtysh cli and configure it there but of course any reload of the plug-in wipes it out.
Long term solution is to update the plugin.
I’ve opened a GitHub request but it has stalled.
4
Virtual private networks / IPsec logs why a tunnel fails
« on: June 26, 2023, 08:36:12 pm »
Let me start by saying all my IPsec Debug options are set to highest.
Problem: I noticed I do not receive any good logging as to why an IPsec tunnel is failing. I would expect to see PROPOSAL MISMATCH or NONE CHOSEN or its equivalent.
I have even purposely changed the IKE P1 details of one of my tunnels just to see if im getting that notification of why the tunnel is failing and i am not.
My IPsec > Log File is set to Notice.
I am on OPNsense 23.1.10_1-amd64
Problem: I noticed I do not receive any good logging as to why an IPsec tunnel is failing. I would expect to see PROPOSAL MISMATCH or NONE CHOSEN or its equivalent.
I have even purposely changed the IKE P1 details of one of my tunnels just to see if im getting that notification of why the tunnel is failing and i am not.
My IPsec > Log File is set to Notice.
I am on OPNsense 23.1.10_1-amd64
5
23.1 Legacy Series / FRR - Severity Error
« on: June 24, 2023, 10:25:12 pm »
I have an existing Github ticket tracking this but i wanted to bring it to the forum as it may be a more appropriate place to troubleshoot
Background: Moving from a pfsense to an opnsense deployment. Currently in POC stage. Routing is done over an IPsec VTY with eBGP. Routing neighborships do come up and i am able to route across.
Problem: I am not getting any protocol adjacency messages in the log. So for example if a neighbor bonces i should get the following message in the logs
bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsensePOC.xxyy) in vrf default Down Peer closed the session
This is useful for me as this is how i build my alerting system off of syslog.
I even switched to OSPF just to see if maybe there was something wrong in my bgp config but even there all ospfd messages are with severity Error.
Not only do those messages not appear I noticed today that all bgpd/ospfd messages are set at severity level Error. Just really strange stuff. All notifications related to routing are at the default and this isnt a logging issue per se.
This was never seen in pfSense. Comparing of .conf files between both OSs show they are the same.
Dont mind sharing the config here.
Building configuration...
Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname OPNsense
log syslog notifications
!
router bgp 65001
bgp router-id 192.168.50.254
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
bgp graceful-restart
no bgp network import-check
neighbor 172.28.0.5 remote-as 65002
!
address-family ipv4 unicast
redistribute connected
neighbor 172.28.0.5 activate
exit-address-family
!
address-family ipv6 unicast
redistribute connected
exit-address-family
!
line vty
!
end
Background: Moving from a pfsense to an opnsense deployment. Currently in POC stage. Routing is done over an IPsec VTY with eBGP. Routing neighborships do come up and i am able to route across.
Problem: I am not getting any protocol adjacency messages in the log. So for example if a neighbor bonces i should get the following message in the logs
bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsensePOC.xxyy) in vrf default Down Peer closed the session
This is useful for me as this is how i build my alerting system off of syslog.
I even switched to OSPF just to see if maybe there was something wrong in my bgp config but even there all ospfd messages are with severity Error.
Not only do those messages not appear I noticed today that all bgpd/ospfd messages are set at severity level Error. Just really strange stuff. All notifications related to routing are at the default and this isnt a logging issue per se.
This was never seen in pfSense. Comparing of .conf files between both OSs show they are the same.
Dont mind sharing the config here.
Building configuration...
Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname OPNsense
log syslog notifications
!
router bgp 65001
bgp router-id 192.168.50.254
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
bgp graceful-restart
no bgp network import-check
neighbor 172.28.0.5 remote-as 65002
!
address-family ipv4 unicast
redistribute connected
neighbor 172.28.0.5 activate
exit-address-family
!
address-family ipv6 unicast
redistribute connected
exit-address-family
!
line vty
!
end
6
Intrusion Detection and Prevention / Re: Suricata Not Finding Anything
« on: June 23, 2023, 08:59:58 pm »
Because its so infrequent and unreliable there is no way to tell if Suricata is really working or not.
Are there other things its missing and refusing to alert on?
In my case, alerts arent being generated when i create traffic that should trigger especially when it triggers on other firewalls running Suricata.
Are there other things its missing and refusing to alert on?
In my case, alerts arent being generated when i create traffic that should trigger especially when it triggers on other firewalls running Suricata.
7
Intrusion Detection and Prevention / Re: Suricata Not Finding Anything
« on: June 23, 2023, 05:33:14 pm »
Ive seen in past forum posts that people have had sucess changing the pattern matcher.
Right now changing pattern matching still doesnt produce alerts.
There is something not right with the Suricata package. ET SCAN rules always generate an alert on the WAN side. Yet...blank logs?
Right now changing pattern matching still doesnt produce alerts.
There is something not right with the Suricata package. ET SCAN rules always generate an alert on the WAN side. Yet...blank logs?
8
Intrusion Detection and Prevention / Re: IPS not alerting
« on: June 23, 2023, 05:20:01 pm »
Changing the pattern matcher doesnt work.
Ive used so far
Aho-Corasick
Aho-Corasick, "Ken Steele"
HyperScan
There is absolutely no way the ET SCAN rule is not triggering on the WAN. Impossible.
I am even triggering LAN side alerts using the following from bash 'curl -A "BlackSun" www.google.com'
This always triggers on pfSense or when I span a port to my security onion instance.
As been mentioned in past post, there is something wrong with the Suricata package here. The fact its not picking up on any flow on known rules that trigger alerts indicates an issue with the implementation.
Ive used so far
Aho-Corasick
Aho-Corasick, "Ken Steele"
HyperScan
There is absolutely no way the ET SCAN rule is not triggering on the WAN. Impossible.
I am even triggering LAN side alerts using the following from bash 'curl -A "BlackSun" www.google.com'
This always triggers on pfSense or when I span a port to my security onion instance.
As been mentioned in past post, there is something wrong with the Suricata package here. The fact its not picking up on any flow on known rules that trigger alerts indicates an issue with the implementation.
9
Intrusion Detection and Prevention / Re: IPS not alerting
« on: June 23, 2023, 06:38:22 am »
I see some past forum post where people changed from HyperScan to something else. Will change and update the forum with the results
10
Intrusion Detection and Prevention / IPS not alerting
« on: June 23, 2023, 03:53:29 am »
Coming from an pfSense box running Suricata i know which rules would generate alerts on my network and which wont. Very consistent behavior.
Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.
Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.
Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.
Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.
11
23.1 Legacy Series / Re: FRR logs missing neighbors going down
« on: June 23, 2023, 03:49:25 am »
I was changing log levels as part of testing to see if the logs produced in pfsense would be/should be the same in opnsense
So for example as a BGP neighbor bounce i should see the following in the logs
<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsenseFW.moore.home) in vrf default Down Peer closed the session
No matter what log level i use i cant seem to find that log. Comparing frr.conf files between opnsense and my working pfsense box the configurations for logging are similar.
So for example as a BGP neighbor bounce i should see the following in the logs
<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsenseFW.moore.home) in vrf default Down Peer closed the session
No matter what log level i use i cant seem to find that log. Comparing frr.conf files between opnsense and my working pfsense box the configurations for logging are similar.
12
Zenarmor (Sensei) / Re: ZenArmor - backend questions
« on: June 22, 2023, 04:36:19 pm »
Thanks Sy. Much appreciated.
Will be reaching out to the Zen team for those IPs now.
Will be reaching out to the Zen team for those IPs now.
13
23.1 Legacy Series / Re: FRR logs missing neighbors going down
« on: June 22, 2023, 04:34:56 pm »
Yes the logging level has been changed to Emergency i believe and bouncing a neighbor doesnt produce any usable logs.
My question is, how should one monitor routing if there arent any good logging for it.
My question is, how should one monitor routing if there arent any good logging for it.
14
23.1 Legacy Series / FRR logs missing neighbors going down
« on: June 22, 2023, 03:19:13 am »
I am running BGP and I typically send all syslogs to my collector where I will parase the logs to generate alerts.
I noticed that bgp flaps are not producing any alerts in the logs
For example in my other system running pfsense here is the message i receive
<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(OPNsenseFW.moore.home) in vrf default Down Peer closed the session
I am expecting to see a similar message on OPNsense but noticed that type of log is not being generated at all.
Does anyone know how to get this type of log to be created or if its being created ?
I noticed that bgp flaps are not producing any alerts in the logs
For example in my other system running pfsense here is the message i receive
<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(OPNsenseFW.moore.home) in vrf default Down Peer closed the session
I am expecting to see a similar message on OPNsense but noticed that type of log is not being generated at all.
Does anyone know how to get this type of log to be created or if its being created ?
15
Zenarmor (Sensei) / ZenArmor - backend questions
« on: June 22, 2023, 02:53:41 am »
Hello all,
still exploring zen and i have two questions.
1. I started with MongoDB but i want to switch to another db as i want more retention than 2 days worth of reporting. Is there a way to keep all my policies and switch databases?
2. Its easy to test if apps or URLs are being blocked but for Malware activity or for advanced security blocking botnet CnC how do we test thats working? What is it even looking for? Are there IPs we can try to access to see if Zen is blocking?
3. Through OPNsense the dashboard isnt as flexiable as the portal. Is the online portal the best way to use Zen? Will that change soon as I prefer to keep cloud management off the table for now.
still exploring zen and i have two questions.
1. I started with MongoDB but i want to switch to another db as i want more retention than 2 days worth of reporting. Is there a way to keep all my policies and switch databases?
2. Its easy to test if apps or URLs are being blocked but for Malware activity or for advanced security blocking botnet CnC how do we test thats working? What is it even looking for? Are there IPs we can try to access to see if Zen is blocking?
3. Through OPNsense the dashboard isnt as flexiable as the portal. Is the online portal the best way to use Zen? Will that change soon as I prefer to keep cloud management off the table for now.
Pages: [1] 2