Topics

1

24.1 Legacy Series / i lost internet after a shutdown

« on: February 13, 2024, 12:47:06 pm »

I have a protectli i7, ram 16g, 480ssd, 6 ports, coreboot.
Due to some difficulties, I did a fresh installation with OPNsense 24.1.1-amd64, FreeBSD 13.2-RELEASE-p9, OpenSSL 3.0.13.
Sometimes I turn off the device. After a restart, the firewall loses internet. I have to do a wizard by setting the correct static address for wan, then a second wizard pass with dhcp. The wan takes the correct ip address from the swisscom router. And then everything is ok. The maneuver is reproducible after a shutdown.

2

Zenarmor (Sensei) / unable to reinstall zenarmor

« on: May 29, 2023, 09:52:35 am »

when i upgrade previously from 23.1.7, firewall go down.
i had to reinitialise everything.
everything works but zenarmor.
I upgrade to 23.1.8
I had to reinstall zenarmor
i check agree terms of service
I see :
cpu model: intel(R) core(TM)i7-8550 cpu @ 1.80ghz
cpu score 676572
physical memory size: 16gb
congratulations! your hadware looks great.
but the bar din't progress and nothing happens (1h).
I reinsttall zenarmor but no change.
protectli f6w dd 500g
active subscription from  almost  3 y
what should i do?

3

Intrusion Detection and Prevention / [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102), etc.

« on: October 24, 2022, 12:53:51 pm »

[ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102), [ERRCODE: SC_ERR_INVALID_SIGNATURE(39),  [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]

I want to have suricat that inspects wan interface and  zenarmon inspects lan, dmz and wifi. crowdsec runs also.
is snortrules-snapshot-29151.tar.gz compatible with the version of suricat provided by opnsense 22.7.6?  (i have paid snort subscription and snort_vrt.oinkcode is ok).
the firewall is behind a router provides by isp. should i use advanced mode (settings page)? if yes, what should i put in home networks? leave blank? ip interface wan? ip lan, dmz, wifi?
thanks for help
regards

Code: [Select]


2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 3546
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 1122
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 202