Topics

1

20.1 Legacy Series / [solved]Flowd error

« on: March 03, 2020, 05:08:53 pm »

Hello,

Since an accidental electric shutdown, I've got an issue with flowd_aggregate.py

flowd start, insight gives me datas, but I'm flooded with this kind of errors:

Code: [Select]

# clog /var/log/system.log | grep flowd

/flowd_aggregate.py: flowparser failed to unpack proto_flags_tos (unpack requires a buffer of 4 bytes)
/flowd_aggregate.py: flowparser failed to unpack octets (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack if_indices (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack as_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack flow_engine_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack recv_time (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack octets (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack if_indices (unpack requires a buffer of 8 bytes)
/flowd_aggregate.py: flowparser failed to unpack as_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack flow_engine_info (unpack requires a buffer of 12 bytes)
/flowd_aggregate.py: flowparser failed to unpack tag (unpack requires a buffer of 4 bytes)
/flowd_aggregate.py: flowparser failed to unpack recv_time (unpack requires a buffer of 8 bytes)
I tried to "repair netflow data" in settings menu: no change, still these errors.

If I try "reset netflow data", I lose everything ?

Very kind reboot, did not help ...

Have you got some idea ?

Thanks a lot !
bmail

Edit:
Solved in accepting losing insight datas with a "reset datas". Datas corrupted probably ...

2

20.1 Legacy Series / [Resolved]Clamav: how to flush database

« on: February 13, 2020, 11:27:03 am »

Hello,

Since today, the last download of a clamav third party database (http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb), Clamav do not want to start. This database seems not in good health ...

root@DBSecure:~ # /usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
LibClamAV Error: Empty database file
LibClamAV Error: Can't load /var/db/clamav/jurlbla.ndb: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database /var/db/clamav/jurlbla.ndb
Thu Feb 13 11:00:21 2020 -> !Malformed database
/usr/local/etc/rc.d/clamav-clamd: WARNING: failed to start clamav_clamd

I tried to de-activate it within the list of additionnal signature, and restart clamav: it doesn't work.
Probably normal, as it concerns the download and refresh of database, not the calling of if in clamav.

Do you know how can I purge the database in order to restart clamav without this problemaic third party database ?

Just erase /var/db/clamav/jurlbla.ndb  ?

Thanks a lot for any ideas !

3

General Discussion / Network question

« on: January 10, 2020, 07:58:36 pm »

Hello,

Not directly related with Opnsense, but a strange behaviour on my network.
Perhaps someone could help me to understand what's the issue:

I use Opnsense with 3 intefaces (LAN, WAN, and WLAN). WLAN is a wired interface connected to the WAN port of a wifi router Asus.
Wifi router is configured as router (not AP) for wifi devices (android phones for example), with DHCP .

So: WLAN (opnsense): 10.1.2.100
WAN of wifi router: 10.1.2.99 with default gateway 10.1.2.100
LAN of wifi router: 10.1.55.100/24
WIFI devices with DHCP: 10.1.55.6x/24

Wifi devices have access to internet via opnsense, but sometimes, I see weird log on opnsense:

Action: block
interface: WLAN
Source: 10.1.55.6x
Destination: very often a google ip (216.58.2018.100 for example)

For WLAN interface, I have some rules as :
Accept WLAN net    *    Ce Pare-feu    53 (DNS)    *    *
Accept  WLAN net    *    *    443 (HTTPS)    *    *
and so on....

And the last:
Block *    *    *    *    *    *

I can't undestand why, WLAN receive and block (naturally) packets from wifi devices (10.1.55.6x). WLAN should not see them.

If somebody can explain to me this fact ....

Thanks a lot in advance.

4

19.7 Legacy Series / [Solved]Geoip

« on: September 14, 2019, 06:34:58 pm »

Hello,

I use 19.7.4 and Maltrail.

Could somebody explain to me how  does the geoip database is updated ?

I used (since OPNsense 18.1) to use Geoip with an alias and a rule for indound wan interface in first position. And now, I try Maltrail  and I notice lots of "malicious traffic" coming from China and Russia... However, nothing personal, but my geoip alias and firewall rule is supposed to block these countries.

I wonder if my firewall rule is really applied ... Or if these ip are recently affected to these countries and my geoip database is not really updated.

Does Geoip database is updated with the cron task "update and reload firewall aliases" ?  I've already got this cron task.
Is it relative with GeoLite Legacy databases discontinued on January 2 ?

Thanks a lot for any advice.
Bertrand

5

19.1 Legacy Series / [solved]OpenSSL or LibreSSL

« on: April 23, 2019, 10:28:16 am »

Hello,

Small and perhaps silly question:

Is it possible and safe to swith from OpenSSL to LibreSSL for the choice of the firmware cryptography flavour (firmware > parameters) ?

Present Release: 19.1.6 running with OpenSSL

Purpose: to get closer to the work of OpenBSD team.

Thanks a lot for your advices

6

Intrusion Detection and Prevention / New message from rule-updater.py ?

« on: February 05, 2019, 08:04:41 pm »

Hello,

Using OPNsense 19.1, with Suricata 4.1.2_1, I noticed a new message in log (within dasboard):
Lots (more or less 45 for the same date and hour) of .....

Feb 5 18:18:45    rule-updater.py: version response for https://rules.emergingthreats.net/open/suricata-4.0/version.txt : 9115

With a version.txt incrementing each day.

It seems correctly downloading and installing new versions of rules, but do you know why rule-updater.py returns so numerous identical messages ?

Thanks a lot for teaching me ...

7

18.7 Legacy Series / Difference between alias type

« on: November 28, 2018, 12:08:20 pm »

Hello,

Could someone explain to me the difference between the type "URL (IPs)" and "URL Table (IPs)" when creating a new alias for the firewall ?

thanks a lot !
Have a good day.

8

Web Proxy Filtering and Caching / [Solved]URL blacklist from https://ransomwaretracker.abuse.ch

« on: November 27, 2018, 03:10:30 pm »

Hello,

Did someone succed in downloading and using this list with squid ?

https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

This list is downloadable with a browser but, when I create an external acl with it, it does not work:

Warning: empty ACL: acl remoteblacklist_URL.Ransomware dstdomain "/usr/local/etc/squid/acl/URL.ransomware"

Permissions are same as others remote acl which work fine.
Is it because squid waits for domains and not url ?

Thanks for any advice !

9

Intrusion Detection and Prevention / Download rules from abuse.ch

« on: November 15, 2018, 08:08:35 pm »

Hello,

Since 18.7.7, I've been noticed that suricata does'nt download rules coming from abuse.ch.

For example:
rule-updater.py: download failed for https://feodotracker.abuse.ch/blocklist/?download=suricata
rule-updater.py: download failed for https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules
rule-updater.py: download failed for https://sslbl.abuse.ch/blacklist/sslipblacklist.rules
rule-updater.py: download failed for https://sslbl.abuse.ch/blacklist/sslblacklist.rules

Into the rules section, we can see that no new download had been completed for some days:

abuse.ch/Dyre SSL IPBL                          2018/11/09 10:18                                   drop   
abuse.ch/Feodo Tracker                          2018/11/06 22:18                                   drop   
abuse.ch/SSL Fingerprint Blacklist          2018/11/09 10:18                                   drop   
abuse.ch/SSL IP Blacklist                          2018/11/09 10:18                                   drop

Have you the same issue with 18.7.7  and suricata 4.0.6 ?

Thanks fo any idea !
Regards

10

Intrusion Detection and Prevention / Suricata user defined rules

« on: October 12, 2018, 10:22:15 am »

Hello,

I just see that user defined rules are no more applied ...
I also use squid. And, in order to filter website with its ssl fingerprint, I put the website in the "SSL no bump sites" list in the squid config.

After this, I use the SSL fingerprint of this website in order to create a new "user defined" rule (with a "reject" argument), in the suricata config section.

This one is no longer applied ... I can access to this website.

I use:
OPNsense 18.7.4-amd64
FreeBSD 11.1-RELEASE-p14
OpenSSL 1.0.2p 14 Aug 2018

And Hyperscan for "pattern matcher". But "default" does'nt work anymore.

Did someone notice this ?

Thanks a lot for any idea.
Best regards

11

Web Proxy Filtering and Caching / Clear some squid config

« on: May 26, 2018, 10:56:10 am »

Hello,

Did you experiment this issue with 18.1.8 ?

I definitely can't clear config about acl I putted in squid configuration: the individual closing cross near each element doesn't work, and tne glogal "clear / remove cross" leads me to a pop up asking me if I'm sure to deselect or remove all items".
Click on "yes" closes this pop-up but it doesn't work.

configd log after this action:     configd.py: [0d623e91-5a65-4a98-902b-5774751148bf] request proxy status

Where can I search the reason ?

Thanks a lot for any help !
bertrand

12

18.1 Legacy Series / [SOLVED]SSL certificat and suricata rules

« on: May 22, 2018, 01:29:59 pm »

Hello,

I think I need help to understand how Opnsense is processing...

I use squid with https inspection. So I created an self signed authority inside Opnsense (called internal-ca).
When a user visits an https web page, every site show a certificat provided by my organisation, with, of course, a unique SHA1 fingerprint. I think this is normal. But ...
I try to block some site using "user defined rules" with Suricata. I give the fingerprint of the website I want to block, but no success ... the website isn't block by suricata.

Suricata works on wan interface only. If it works on wan + lan interface, no more access to Opnsense GUI caused by a rule:

   SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
Alert sid   31484

Is there a way to use drop action based on ssl fingerprint if we want to use ssl inspection with Squid ?

Thank a lot for any advice.
Bertrand

13

French - Français / [RESOLU]Blocage de site via certificat SSL avec Suricata

« on: May 17, 2018, 07:15:17 pm »

Bonjour,

Tout est à peu près dans le titre ...
J'utilisais cette fonctionnalité de Suricata pour bloquer facebook, et depuis la version 18.1.7, cela ne fonctionne plus...

Je suis un peu confus avec ce disfonctionnement car lorsque j'affiche les détails du certificat de facebook dans un navigateur, il est indiqué qu'il a été émis par l'autorité de certif que j'ai créé dans opnsense. Etrange, non ?

J'utilise squid avec l'inspection en ssl, avec cette même AC.

Je dois passer à coté d'un concept important...

Merci pour vos éventuelles lumières.
Bertrand



Résolu, voir:
https://forum.opnsense.org/index.php?topic=8740.0