Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - secdoc

Pages1
#1
24.7, 24.10 Legacy Series / Unusual Amount of ICMP requests to loopback
August 14, 2024, 02:41:05 PM
Has anyone experienced an issue where ICMP is being sent to the loopback address in high volumes?

Here is example logs"
Code Select
<134>1 2024-08-14T11:56:43+00:00 xxxx.acme.tech filterlog 12611 - [meta sequenceId="7416432"] 66,,,1232f88e5fac29a32501e3f051020cac,lo0,match,pass,out,4,0x0,,64,1281,0,none,1,icmp,596,127.0.0.1,127.0.0.1,datalength=576

When looking at the logs there is a rather large volume of traffic to the loopback from the loopback which does not make sense.


Any thoughts or ideas why this would be happening?

Appliance Specs:

Versions:
OPNsense 24.7.1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
CPU:
12th Gen Intel(R) Core(TM) i5-1240P
Memory:
32GB

Installed Modules:
os-acme-client
os-clamav
os-crowdsec
os-dmidecode
os-etpro-telemetry
os-git-backup
os-haproxy    
os-intrusion-detection-content-et-open
os-intrusion-detection-content-et-pro    
os-intrusion-detection-content-pt-open
os-intrusion-detection-content-snort-vrt
os-iperf
os-maltrail
os-sensei
os-sensei-agent
os-sensei-updater
os-sunnyvalley
os-theme-cicada
os-theme-rebellion
os-vnstat
#2
24.7, 24.10 Legacy Series / Has there been a change in the way Maltrail processes in 24.7
August 12, 2024, 05:35:31 PM
**Question**
Has there been any change in the blacklist updates in the past week?

**Support**
It seems that Maltrail on OPNsense was fine up to 8/7/2024 as far as over all visibility, but after that time it has progressively diminished to the point that there is no hits at all as of today...


8/7/2024
![image](https://github.com/user-attachments/assets/f2fc31ed-e9a9-4144-af59-41e02625484a)
8/12/2024
![image](https://github.com/user-attachments/assets/d37af22a-0073-4823-92e9-5d858997b82f)
overall activity by date (maltrail calendar view)
![image](https://github.com/user-attachments/assets/600f42fa-fae4-45a0-9933-703320c1805e)

Error Log: https://github.com/stamparm/maltrail/issues/19272
#3
Intrusion Detection and Prevention / Custom Rules for IDS/IPS in OPNsense 24.7
August 07, 2024, 10:09:05 PM
Is there there a way to create custom rules for IDS in 24.7?

I am specifically wanting to create an alert for GRE.

Code Select
# Alert on GRE traffic to a specific IP
alert ip any any -> {IP ADDRESS} any (msg:"GRE traffic to specific IP"; ip_proto:47; sid:1000002; rev:1;)

# Alert on high-volume GRE traffic
alert ip any any -> any any (msg:"High volume GRE traffic"; ip_proto:47; threshold: type both, track by_src, count 1000, seconds 60; sid:1000003; rev:1;)

The current user defined option does not cut it...



#4
24.7, 24.10 Legacy Series / Graylog Grok Pattern for New OPNsense Filter and Suricata Log Format
August 06, 2024, 10:08:59 PM
All for those that are planning and or dealing with updating to the latest release. There are changes to the log output for Filter and Suricata Logs (syslog output) as compared to the previous versions:

Old and New Logging Formats for FilterLog and Suricata

FilterLog:
Code Select
Old Format: <134>Jul 16 06:36:52 xxxx.acme.tech filterlog[40156]: 85,,,9f96d956119c25145fc2ce221237f3a5,bridge0,match,pass,out,4,0x0,,64,63281,0,DF,17,udp,52,10.13.37.156,8.8.8.8,36444,53,32

New Format:
Code Select
<134>1 2024-08-05T12:05:54+00:00 xxxx.acme.tech filterlog 54802 - [meta sequenceId="2763892"] 85,,,9f96d956119c25145fc2ce221237f3a5,bridge0,match,pass,out,4,0x0,,63,11771,0,DF,6,tcp,60,10.13.37.156,193.0.6.135,43802,43,0,S,1404651214,,64240,,mss;sackOK;TS;nop;wscale

Suricata: Old Format:
Code Select
<173>Jul 26 13:17:32 xxxx.acme.tech suricata[48264]: [1:2017928:4] ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 192.168.200.69:1247 -> 116.202.120.181:443

New Format:
Code Select
<173>1 2024-08-05T23:17:15+00:00 xxxx.acme.tech suricata 23296 - [meta sequenceId="1335381"] [1:2024364:4] ET SCAN Possible Nmap User-Agent Observed [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.2.141:56840 -> 192.168.88.2:80

Key Changes:

Date Format: The old format used a more condensed representation (e.g., "Jul 26 13:17:32"), while the new format adopts the ISO 8601 standard (e.g., "2024-08-05T23:17:15+00:00"), including timezone information.
Meta Sequence ID: The new format introduces a [meta sequenceId="XXXXXXX"] field, which can be useful for tracking log sequence and detecting missing logs.
Structure: The overall structure of the log entries has been modified to align with more standardized logging practices, potentially improving compatibility with log analysis tools.

While many already be aware, they may have noticed potential impacts to logging and SIEM solutions.  If you use Graylog, I have create a Github Repository that has Grok Patterns to deal with the updated formatting.

If you need a quick work around, here is the link:
https://github.com/secdoc/OPNsense-24.7-Graylog-Grok-Patterns/tree/main
#5
General Discussion / Monitoring packet loss/Qos issues
February 10, 2024, 09:27:31 PM
Is there a way to monitor  other interfaces/vlans for packet loss? I have been troubleshooting QoS related issues and seeing high packet loss in  video conferencing apps such as Zoom and cannot narrow down where it is at. I have been able to rule out the ISP and the FW itself as dropping, but do not know if it could be in the switching infrastructure or cabling and not seeing anything specific like the health quality monitoring for the WAN gateway...

Any thoughts or ideas would be greatly appreciated...
#6
24.1, 24.4 Legacy Series / Business Edition 24.1 Release?
February 10, 2024, 03:07:01 AM
When will the Business Edition 24.1 be released?
#7
24.1, 24.4 Legacy Series / Increased CPU Temps after the Upgrade to 24.1
February 08, 2024, 03:48:28 AM
System Info:
OPNsense 24.1.1-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.13
CPU - Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz (4 cores, 8 threads)
Memory - 32GB

After updating my CPU Temps have gone through the roof. Before they averaged 60-65C with spike to 78-80C but now each core averaging 78-85C and spicing up to 92C. Anyone else experiencing high temps?
#8
23.7 Legacy Series / Uknown Issue with OPNSense and ATT Fiber
December 15, 2023, 08:14:20 PM
I am looking for some feedback, possible ideas around how to figure out what may be going on with my throughput between the OPNSense FW and the internet. My current service provider is ATT Fiber Internet, which means I have to have the BGW320 ONT as the gateway and I have IP Passthrough enabled. I subscribed rate is 5Gbps synchronous up until about the beginning of November I was averaging 4.5-5Gbps with no real issues. After then I started to get sweeping performance issues and as such I have speed and Iperf running every 5sec to get metrics and the below shows the overall stats:

Download
1263.2 Mbit/s (current)
3033.3 Mbit/s (average)
4710.9 Mbit/s (maximum)
11.1 Mbit/s (minimum)

Upload
1613.2 Mbit/s (current)
3267.0 Mbit/s (average)
4707.9 Mbit/s (maximum)
7.5 Mbit/s (minimum)

This is the iperf3 now through ATT:

secdoc@maul:~$ iperf3 -c *.*.*.*
Connecting to host *.*.*.*, port 5201
[  5] local 192.168.2.101 port 36846 connected to *.*.*.* port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   218 MBytes  1.83 Gbits/sec   43   2.31 MBytes       
[  5]   1.00-2.00   sec   262 MBytes  2.20 Gbits/sec   83   2.50 MBytes       
[  5]   2.00-3.00   sec   248 MBytes  2.08 Gbits/sec    0   2.58 MBytes       
[  5]   3.00-4.00   sec   215 MBytes  1.80 Gbits/sec    0   2.64 MBytes       
[  5]   4.00-5.00   sec   220 MBytes  1.85 Gbits/sec    0   2.70 MBytes       
[  5]   5.00-6.00   sec   148 MBytes  1.24 Gbits/sec  1331   1.39 MBytes       
[  5]   6.00-7.00   sec   351 MBytes  2.95 Gbits/sec    0   1.57 MBytes       
[  5]   7.00-8.00   sec   322 MBytes  2.71 Gbits/sec    7   1.71 MBytes       
[  5]   8.00-9.00   sec   341 MBytes  2.86 Gbits/sec    0   1.84 MBytes       
[  5]   9.00-10.00  sec   330 MBytes  2.77 Gbits/sec    0   1.97 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.59 GBytes  2.23 Gbits/sec  1464             sender
[  5]   0.00-10.04  sec  2.59 GBytes  2.22 Gbits/sec                  receiver

So I have the following setup for OPNSense:

Versions    OPNsense 23.7.10_1-amd64
CPU type    Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz (4 cores, 8 threads)
Memory - 32594 MB
2 - 10Gbase-SR <full-duplex,rxpause,txpause>
4 - 2.5Gpbs Intel NICs

I can run an iperf internally, I get 9.0-9.8Gbps on my network, here is an example:

secdoc@maul:~$ iperf3 -c 192.168.2.10
Connecting to host 192.168.2.10, port 5201
[  5] local 192.168.2.101 port 54084 connected to 192.168.2.10 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.09 GBytes  9.36 Gbits/sec    0   1.91 MBytes       
[  5]   1.00-2.00   sec  1.09 GBytes  9.38 Gbits/sec   18   1.91 MBytes       
[  5]   2.00-3.00   sec  1.09 GBytes  9.33 Gbits/sec    5   1.91 MBytes       
[  5]   3.00-4.00   sec  1.06 GBytes  9.10 Gbits/sec    0   1.91 MBytes       
[  5]   4.00-5.00   sec  1.03 GBytes  8.85 Gbits/sec    0   1.91 MBytes       
[  5]   5.00-6.00   sec  1.08 GBytes  9.31 Gbits/sec    7   1.91 MBytes       
[  5]   6.00-7.00   sec  1.09 GBytes  9.36 Gbits/sec    0   1.91 MBytes       
[  5]   7.00-8.00   sec  1.09 GBytes  9.37 Gbits/sec    0   1.92 MBytes       
[  5]   8.00-9.00   sec  1.09 GBytes  9.34 Gbits/sec    0   1.93 MBytes       
[  5]   9.00-10.00  sec  1.09 GBytes  9.34 Gbits/sec    8   1.94 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  10.8 GBytes  9.28 Gbits/sec   38             sender
[  5]   0.00-10.05  sec  10.8 GBytes  9.23 Gbits/sec                  receiver

Now I am consistently 1-2Gbps. If I run a speedtest from the BGW320, It is roughly 4.8-5Gbps.

So my question would be is there potentially something that possibly changed with the last set of patches or do you think, which is where I am leaning, they are doing some sort of policy shaping of my traffic and now ATT is messing with me because I am trying to maintain consistent performance.

Any thoughts or possible troubleshooting thoughts would be greatly appreciated.
#9
23.1 Legacy Series / Unable to get synchronous throuput through OPNSense on 5Gbps synchronous link
April 21, 2023, 03:08:42 PM
Currently having issue getting synchronous speeds. Running OPNsense 23.1.6-amd64 with NIDS and ZenArmor. I get expected speeds down (which is limited to 2.5Gbps NICs currently on current firewall, but will be replacing with new). I consistently get 2.3 Gbps down but only getting 500-600 Mbps up. I have run tests with and without IDS/Zenarmor and get same results. Any thoughts on what would be limiting throughput up? I run tests at provider edge and get roughly 5/5 Gbps, so I know the bottleneck is somewhere on my side.


Initially thought the issue might be a half-duplex issue but the WAN interface, but that is not the case:
igc0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   description: WAN (wan)
   options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
   ether 00:90:27:e8:33:1f
   inet xx.xx.xx.109 netmask 0xfffffe00 broadcast xx.xx.xx.255
   media: Ethernet autoselect (2500Base-T <full-duplex>)
   status: active
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Pages1