Topics

1

20.7 Production Series / [Solved, RFC needed?] NGINX as IMAP reverse proxy

« on: October 25, 2020, 01:21:34 pm »

i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio

2

20.7 Production Series / Suricata - Engine?

« on: August 03, 2020, 04:14:29 pm »

Hi,

When testing 20.7 from iso, i always used Aho Ken Steele, no problems with memory.

Now, in 20.7 Production, memory goes up nearly 70% for suricata and the system is swapping. This was not the case before. I changed for now to "reduced memory implementation", but still lots of memory used and swap.

thx!
Ruggerio

3

20.7 Production Series / Postfix not logging

« on: July 31, 2020, 11:06:01 am »

Hey,

Since upgrading to 20.7, Postfix shows no more logs.

Cheers,
Roger

4

20.7 Production Series / Squid/C-ICAP Error

« on: April 08, 2020, 08:14:04 am »

Since the upgrade, C-ICAP shows the following error:

Wed Apr 8 08:06:51 2020, 24221/803493376, ci_simple_file_new: Can not open temporary filename in directory:/var/tmp/

Shouldn't this be /tmp?

Comment: changed this in /usr/local/etc/c-icap/c-icap.conf from /var/tmp to /tmp and now it works.

Perhaps this has something to do, that i set a separate temp-directory in settings.

5

20.7 Production Series / [SOLVED] Postfix not logging

« on: April 02, 2020, 02:08:20 pm »

The postfix-logs are also after a few reboots empty (in GUI and shell).

6

19.7 Legacy Series / Postfix: Mails duplicating several times

« on: December 07, 2019, 07:43:52 pm »

Since the last update of postfix, i get some (not all) Mails duplicated or even multiplicated.  Somebody else having this issue?

The message-id btw. is always the same, on each messsage.

7

Intrusion Detection and Prevention / Suricata 5: Errors in Rules

« on: November 03, 2019, 08:51:13 am »

After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:

suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246

and following:
    suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.

Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?

btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!

8

Intrusion Detection and Prevention / IPS and DHCP

« on: September 16, 2019, 07:52:08 am »

Hello,

I still cannot geht IP's via DHCP on VLAN's, if IPS is enabled. Did i miss sometihing, or is for VLAN's a "special" configuration needed, which i missed?

I disabled all the things on the interface, vlan filtering is on standard. Promicuous mode is disabled.

Thx!

9

Intrusion Detection and Prevention / Suricata strange behaviour

« on: August 26, 2019, 06:58:40 am »

Since 19.7., i can no longer inspect more than one physical interface. My box has 3 active nics (wan, lan, dmz) which i'd like to inspect.

I already reset my box and restored, but i did not help. Whenever i activate IPS-Mode with wan only, it works. As soon as i also choose dmz and lan, it doesn't

I just tested with eicar. With wan only, i get the blocked message, adding dmz and lan, it just downloads *sigh*. And the logs do not tell me anything at all. Do i have the possibilty to set suricata in debug mode?

10

Intrusion Detection and Prevention / [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)

« on: August 20, 2019, 12:12:17 pm »

i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?

I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.

Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)

11

19.7 Legacy Series / maltrail: login impossible after changing password

« on: August 16, 2019, 07:17:40 am »

After changing the sha-256 hash to my password in maltrail, i cannot login any further as admin.

The new password is correct hashed in /usr/local/share/maltrail/maltrail.conf. But nevertheless, wrong username/password is the reply.

12

19.7 Legacy Series / 100% load after install of Sensei on pcengines apu4

« on: August 09, 2019, 02:20:30 pm »

after installing sensei, i get a 100% load, on my apu4, which gets unresponsive.

how can i get the logs for further investigations?

13

Intrusion Detection and Prevention / opnips in conjunction to opnsense

« on: July 23, 2019, 07:55:35 am »

Hello,

I know, i am in the wrong forum, but @opnidp no chance on answer.

I installed opnidp as separate idp from my firewall, using a TAP-device. Unfortunately, i am completely unexperienced in that matter.

Even if it's a tap-device, i think my networks have to be aware of this. And as it isn't an inline idp, it makes no sense, placing it as default route.

Could anybody help me with the architecture? Where does the device, which has the ips need to be connected? To the WAN-Port, in front of the firewall?

How would you do this? Thanks for any proposals or ideas. As it is still WIP for me, i appreciate any information.

14

19.7 Legacy Series / [solved] Squid not starting

« on: June 12, 2019, 07:31:03 pm »

Since update to OPNsense 19.7.b_104-amd64, Squid does no longer start.

Errors:
SSL certificate database /var/squid/ssl_crtd is corrupted. Please rebuild
kid1| FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Coming directly from 19.1.9.

15

Intrusion Detection and Prevention / 100% Load when scanning huge downloads

« on: May 17, 2019, 09:14:10 am »

Hi,

i have a apu2c4 (4 gb RAM) running opnsense with suricata in ips-mode. All physical interfaces are select (vlans are not selected.

While normal surfing, nothing exceptional happens on the cpu-load. But whilst e.g. updating my system or downloading a whole dvd, the load of the cpu jumps up to 100% and as a result, the rttd on the gateway goes up to 700 ms...

I've already used the whole bunch of optimizations, but i have no further idea, how to get rid of this.

If i stop suricata, no problems with load.

Hast anybody else the same effect?

Thx!