Topics

1

19.7 Production Series / Postfix: Mails duplicating several times

« on: December 07, 2019, 07:43:52 pm »

Since the last update of postfix, i get some (not all) Mails duplicated or even multiplicated.  Somebody else having this issue?

The message-id btw. is always the same, on each messsage.

2

Intrusion Detection and Prevention / Suricata 5: Errors in Rules

« on: November 03, 2019, 08:51:13 am »

After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:

suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246

and following:
    suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.

Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?

btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!

3

Intrusion Detection and Prevention / IPS and DHCP

« on: September 16, 2019, 07:52:08 am »

Hello,

I still cannot geht IP's via DHCP on VLAN's, if IPS is enabled. Did i miss sometihing, or is for VLAN's a "special" configuration needed, which i missed?

I disabled all the things on the interface, vlan filtering is on standard. Promicuous mode is disabled.

Thx!

4

Intrusion Detection and Prevention / Suricata strange behaviour

« on: August 26, 2019, 06:58:40 am »

Since 19.7., i can no longer inspect more than one physical interface. My box has 3 active nics (wan, lan, dmz) which i'd like to inspect.

I already reset my box and restored, but i did not help. Whenever i activate IPS-Mode with wan only, it works. As soon as i also choose dmz and lan, it doesn't

I just tested with eicar. With wan only, i get the blocked message, adding dmz and lan, it just downloads *sigh*. And the logs do not tell me anything at all. Do i have the possibilty to set suricata in debug mode?

5

Intrusion Detection and Prevention / [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)

« on: August 20, 2019, 12:12:17 pm »

i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?

I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.

Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)

6

19.7 Production Series / maltrail: login impossible after changing password

« on: August 16, 2019, 07:17:40 am »

After changing the sha-256 hash to my password in maltrail, i cannot login any further as admin.

The new password is correct hashed in /usr/local/share/maltrail/maltrail.conf. But nevertheless, wrong username/password is the reply.

7

19.7 Production Series / 100% load after install of Sensei on pcengines apu4

« on: August 09, 2019, 02:20:30 pm »

after installing sensei, i get a 100% load, on my apu4, which gets unresponsive.

how can i get the logs for further investigations?

8

Intrusion Detection and Prevention / opnips in conjunction to opnsense

« on: July 23, 2019, 07:55:35 am »

Hello,

I know, i am in the wrong forum, but @opnidp no chance on answer.

I installed opnidp as separate idp from my firewall, using a TAP-device. Unfortunately, i am completely unexperienced in that matter.

Even if it's a tap-device, i think my networks have to be aware of this. And as it isn't an inline idp, it makes no sense, placing it as default route.

Could anybody help me with the architecture? Where does the device, which has the ips need to be connected? To the WAN-Port, in front of the firewall?

How would you do this? Thanks for any proposals or ideas. As it is still WIP for me, i appreciate any information.

9

19.7 Production Series / [solved] Squid not starting

« on: June 12, 2019, 07:31:03 pm »

Since update to OPNsense 19.7.b_104-amd64, Squid does no longer start.

Errors:
SSL certificate database /var/squid/ssl_crtd is corrupted. Please rebuild
kid1| FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Coming directly from 19.1.9.

10

Intrusion Detection and Prevention / 100% Load when scanning huge downloads

« on: May 17, 2019, 09:14:10 am »

Hi,

i have a apu2c4 (4 gb RAM) running opnsense with suricata in ips-mode. All physical interfaces are select (vlans are not selected.

While normal surfing, nothing exceptional happens on the cpu-load. But whilst e.g. updating my system or downloading a whole dvd, the load of the cpu jumps up to 100% and as a result, the rttd on the gateway goes up to 700 ms...

I've already used the whole bunch of optimizations, but i have no further idea, how to get rid of this.

If i stop suricata, no problems with load.

Hast anybody else the same effect?

Thx!

11

19.1 Legacy Series / Freeradius broken since 19.1.6

« on: April 11, 2019, 09:29:39 pm »

Hi,

After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.

21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)

erm...i do not user nt/lm passwords...where does this come from?

12

Web Proxy Filtering and Caching / Squid wrong response on filtered Page through https

« on: March 21, 2019, 09:06:11 am »

Hi,

I filter pages (example http://1000gratisproben.com) through shallalist. Using http, i get the message "access denied" within the browser. Using https, i get a certificate-error within the browser.

Squidlogs show tcp denied, in both cases. For https i get a strange string before, could be the certificate or whatever.

Why do i get a certificate error, using transaprent proxy? Using proxy direct, non-transparent gives me in both cases "access denied" in the browser.

Roger

13

Web Proxy Filtering and Caching / [SOLVED] wpad only without https?

« on: March 16, 2019, 05:20:01 pm »

Hi,

i try to setup wpad.dat für my proxy. unfortunately, it seems that it's just possible for mobile clients to get a wpad.dat by http, not by https.

So, one need to change the firewallgui to http *shiver* to get this working. would it be possilbe to have port 80 and 443 for the webfrontend? this makes management by https and wpad by http possible.

Roger

14

Web Proxy Filtering and Caching / Ports used by Squid 3128/3129

« on: March 13, 2019, 01:45:34 pm »

Hi,

Can anybody tell me, on which port SNI is called? Is it still 3128 for non-https, or is it on Port 3129 for ssl? I wanted to disable 3129, as i don't do ssl-inspection, but its needed for sni, correct?

Also, i have all NAT- and Firewallrules für transparent proxy, but i still get often drops to 127.0.0.1:3129, i have no explanation for this.

15

19.1 Legacy Series / Bug in German translation

« on: March 13, 2019, 01:38:38 pm »

Seems there is a small bug in translation of /Proxy/Manage/PAC/Rule:

Match type "if" is translated as "Schnittstelle" which means interface. Could it be, that the meaning was "Wenn"
? As Unless is not translated, it would say, leave also if untranslated.

Roger