Messages

1

Intrusion Detection and Prevention / Re: IPS PPPoE Interface

« on: November 28, 2024, 12:08:42 pm »

vote +1
for fixing the demand in freeBSD getting pppoe with ips functionality
Thanks for all efforts.

2

Intrusion Detection and Prevention / Re: Duplicate/invalid rules

« on: October 21, 2024, 10:03:27 pm »

- clean install of 24.7
- update to 24.7.6
- install the whole plugins like suricata
- enable rules
- save
- download and install
- activate service as ips
- perhaps i press hours later the "download and install" button again

result:
- dozens of duplicate entries
- instable ips service

=> how can i fix this ?
=> how is the misbehaviour fixes in future releases ?

Thanks for your help and your hard work @ opnsense

3

Intrusion Detection and Prevention / Re: 24 7.6: ips error in configd.py

« on: October 21, 2024, 09:53:11 pm »

How to fix this duplicated entries ?

2024-10-21T19:49:31   Error   suricata   [100756] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.emerging-chat.rules at line 190   

2024-10-21T19:49:31   Error   suricata   [100756] <Error> -- Duplicate signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)"

4

General Discussion / Re: Enabling IPS blocks traffic

« on: October 21, 2024, 01:13:51 am »

I have the same problem.
Opnsense 24.7.6 as fresh install 24.7 and Update to 24.7.6.
Then install ips.
I can see the duplicated entries in webinterface.

I post it to the ips section here:
https://forum.opnsense.org/index.php?topic=43524.0

5

Intrusion Detection and Prevention / Re: 24 7.6: ips error in configd.py

« on: October 21, 2024, 01:08:54 am »

Problem might be duplicate signature entries:
The question is how to fix it ?


   [100878] <Error> -- Duplicate signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed"; flow:established,to_client; tls.certs; content:"|31 0b 30 09 06 03 55 04 06 13 02|US|31 11 30 0f 06 03 55 04 08 13 08|Illinois|31 13 30 11 06 03 55 04 07 13 0a|Naperville|31 09 30 07 06 03 55 04 09 13 00 31 0d 30 0b 06 03 55 04 11 13 04|"; fast_pattern; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037378; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, signature_severity Major, updated_at 2024_01_03;)"

6

Intrusion Detection and Prevention / 24 7.6: ips error in configd.py

« on: October 20, 2024, 02:06:24 pm »

Hello all,
someone here knowing the solution for this behaviour ?
After a while ips service is down.
In the event log i found:

Error   configd.py   Timeout (120) executing : ids list rulemetadata

After the IPS update check there is a traceback in log:

Error   configctl   error in configd communication Traceback (most recent call last): File "/usr/local/sbin/configctl", line 65, in exec_config_cmd line = sock.recv(65536).decode() ^^^^^^^^^^^^^^^^ TimeoutError: timed out

Starting the service manually brings ips back running.
Could soneone give me a hint ?
Thanks in advance.
________
Manual restart is working, but there is an event in the log:
Error   configd.py   [2043d2f8-7089-4509-bd8f-3920fc2e6bac] returned exit status 1