Topics

1

Zenarmor (Sensei) / Resetting elasticsearch index

« on: April 17, 2022, 07:37:53 am »

Hi,
Im running an external elasticsearch index for zenarmor, I had to reset/remove the whole index because reporting from zenarmor was not working anymore.

Now I have reporting partly working again except for a few parts (cant see blocks for example)

The error I get when opening the reporting page for block is:

Code: [Select]

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "alert_all",
        "index_uuid": "_na_",
        "index": "alert_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "alert_all",
    "index_uuid": "_na_",
    "index": "alert_all"
  },
  "status": 404
}
Is there a way to force the recreation of the whole index in a remote elasticsearch setup ? (i tried uninstalling zenarmor and reinstalling but did not recreate the whole index).

Thanks!

2

Zenarmor (Sensei) / zenarmor disk full

« on: February 22, 2022, 06:44:15 pm »

Hi, since about 2 days I get the error from zenarmor about disk being full. It also stopped logging to my remote elasticsearch. I see the temp dir is full

/usr/local/sensei/output/active/temp [ufs] (45M/48M)

How do I clean that out ?

3

21.7 Legacy Series / opnsense transparant bridge

« on: January 22, 2022, 08:57:17 pm »

Hi,
Im trying to set up opnsense in bridge mode, followed the instruction on: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Bridging works, but I get a lot of denies on "default deny rule" while I set an "allow any" on all interfaces (lan, wan and bridge) .. how can I check why the default deny rule gets hit ?

4

21.7 Legacy Series / importing HAproxy config

« on: August 22, 2021, 10:31:15 am »

Hi, I reinstalled opnsense and reconfigured manually. Can I import the HAproxy of my old opnsense to my new ?

5

21.7 Legacy Series / wireguard with opnsense in bridge

« on: August 14, 2021, 07:33:21 pm »

Hello,

Been trying to get mullvad wireguard to work in opnsense in bridge mode, I got the tunnel up but im not able to push traffic through the tunnel. Im wondering if it is possible in bridge mode ?

6

Zenarmor (Sensei) / exclude IP from sensei

« on: July 31, 2021, 05:03:51 pm »

Hi,

Sensei is using 100% cpu and is capping my throughput, is it possible to exclude an IP in sensei so sensei does not scan the traffic at all ?
Have added the IP to the exempted network/ip list but sensei is still scanning.

7

Zenarmor (Sensei) / blocking websites not working 100% for me

« on: July 10, 2021, 03:45:49 pm »

Hi,

I am using sensei to block access to websites, while testing it seems to work, however, after being blocked I go to the URL bar again and just press enter and im allowed through to the website.. This happens when the page switches over from http to https, but it also happens when just pressing enter a few times in a row..

Also, will it be possible to redirect to a block page on https traffic ?
Thanks!

8

Zenarmor (Sensei) / Can i use sensei to see which IP is uploading / downloading ?

« on: July 03, 2021, 07:37:52 pm »

Hi,

Is it possible to use sensei to check / report on which IP is uploading or downloading  ? I dont have alot of devices on my network, still one of my devices has been uploading data constantly, its about 20 to 25gb a day.. Last friday when i was at work, and did not do anything on my own home network, still I saw 40gb of data going out in the status screen of sensei..

How can i find out which device it is ?

Thanks!

9

21.1 Legacy Series / Trying to set up mysterium node

« on: June 28, 2021, 09:53:34 pm »

Hello,

im trying to set up a mysterium node in a DMZ on opensense. Mysterium is a dVPN service running wireguard server in it. From the outside im able to forward traffic to the mysterium node and can see it connect to the node, but im having problems getting traffic back out from the node. The wireguard set up in the mysterium node sets up its own subnet 172.18.0.0/16 as "allowed subnet". I dont know how to allow this traffic to pass out. My DMZ has subnet 10.42.246.0/24 im not sure if this is the problem ?

I tried entering the subnet range 172.18.0.0 in an alias an allow it through using a rule with the alias set a source but the default rule keeps blocking the traffic. Tried all kinds of nat rules but still being blocked..

10

Zenarmor (Sensei) / sensei - error loading reports

« on: March 18, 2021, 07:44:18 pm »

Hi,

I have an elasticsearch instance running and am connecting to it from sensei (version 1.8 ). When trying to view reports I get the following error:

Code: [Select]

{
  "error": {
    "root_cause": [
      {
        "type": "circuit_breaking_exception",
        "reason": "[parent] Data too large, data for [] would be [1039763720/991.5mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1039763184/991.5mb], new bytes reserved: [536/536b], usages [request=0/0b, fielddata=142807/139.4kb, in_flight_requests=536/536b, model_inference=0/0b, accounting=59793368/57mb]",
        "bytes_wanted": 1039763720,
        "bytes_limit": 1020054732,
        "durability": "PERMANENT"
      }
    ],
    "type": "circuit_breaking_exception",
    "reason": "[parent] Data too large, data for [] would be [1039763720/991.5mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1039763184/991.5mb], new bytes reserved: [536/536b], usages [request=0/0b, fielddata=142807/139.4kb, in_flight_requests=536/536b, model_inference=0/0b, accounting=59793368/57mb]",
    "bytes_wanted": 1039763720,
    "bytes_limit": 1020054732,
    "durability": "PERMANENT"
  },
  "status": 429
}
I am building up logging for about 365 days and am about 90 days in.. could the ammount of kept logs be too large ?

11

Zenarmor (Sensei) / Sensei policy settings

« on: February 13, 2021, 08:48:55 am »

Hi,

I found a new option available in the policy window:
"Please specify for whom this policy applies and when it becomes in effect"  It has my interface IGB1, it is not selected. What does this option do ? If it is unchecked, does it mean the policy is not applied/not working ?

Also, im not able to change the default policy anymore, i want to add an IP address exclusion but it is no longer allowed ?

12

Zenarmor (Sensei) / sensei remote elasticsearch

« on: October 07, 2020, 09:54:36 pm »

Hi,
I have a question about sensei, I have configured sensei with a remote elasticsearch location. Now browsing the live session explorer it is filled with sessions from the firewall going to the elasticsearch server.. Is there a way to choose to ignore this connection to the elastic server so it wont show up in live explorer ?

Also not related to sensei but maybe someone knows, I read about SSL/TLS and user authentication, im not really clear on the license... is this functionality included in the basic license of elasticsearch ?

Thanks!

13

20.7 Legacy Series / reset ntopng

« on: September 26, 2020, 04:00:21 pm »

Hi, I forgot my ntopng password, how can I reset it (reinstalling didnt work) ?

14

Intrusion Detection and Prevention / Suricata not working ? How to check ?

« on: September 20, 2020, 10:32:12 am »

Hi, I seem to have some issues with suricata. Currently im on the latest opnsense with netmap kernel also have sensei installed on it.

Suricata seems to generate alerts, I see some scan attempts on my open ports on the WAN side, but I also have a few rules enabled where I would expect suricata to alert and block the connection. In the emerging-info rules there is a rule enabled for a visit to http://www.whatismyip.com. Visiting this website should be blocked and alerted by suricata but there is no alert .. Regarding this, I only have suricata enabled on my WAN interface ... since I also have sensei enabled, if I also enabled suricata on my LAN the suricata service seems to crash.

How/where/what log can I check to see if suricata is doing anything ?
Thanks!

15

20.1 Legacy Series / cannot get traffic shaper to work properly

« on: March 21, 2020, 10:53:47 pm »

Hi, Im trying to configure the traffic shaper on opnsense. On the shaper settings I created:

1 upstream pipe 40mb
1 downstream pipe 180mb

1 normal upstream queue - weight 1 (used for normal upstream traffic)
1 normal downstream queue - weight 1 (used for normal downstream traffic)
1 higher prio upstream queue - weight 10 (used for higher prio upstream traffic)
1 higher prio downstream queue - weight 10 (used for higher prio downstream traffic)

1 rule with tcp/ack proto (sequence 1) - connected to higher prio upstream queue with weight 10, left settings default (src/dst any)
1 rule for download (sequence 2) - connected to normal downstream queue all settings default
1 rule for upstream (sequence 3) - connected to normal upstream queue also all settings left default

Tried a speed test and my max download is now 40mb, how do I make it use the downstream pipe (switched it around aswell, setting upstream to downstream but the download speed remains 40mb) ?

Thanks!