Messages

106

Intrusion Detection and Prevention / Re: Suricata 5 Beta - Can We Upload to OPNSense

« on: August 26, 2019, 07:35:49 am »

btw. wouldn't it perhaps make sense, to plan suricata 5 for 20.1?

107

Intrusion Detection and Prevention / Re: Suricata 5 Beta - Can We Upload to OPNSense

« on: August 26, 2019, 07:29:17 am »

i am quite sure, it's suricata itself, as i stepped down to 4.1. and still have problems with logging. I will now "upgrade" again to suricata 5 and continue testing.

108

Intrusion Detection and Prevention / Suricata strange behaviour

« on: August 26, 2019, 06:58:40 am »

Since 19.7., i can no longer inspect more than one physical interface. My box has 3 active nics (wan, lan, dmz) which i'd like to inspect.

I already reset my box and restored, but i did not help. Whenever i activate IPS-Mode with wan only, it works. As soon as i also choose dmz and lan, it doesn't

I just tested with eicar. With wan only, i get the blocked message, adding dmz and lan, it just downloads *sigh*. And the logs do not tell me anything at all. Do i have the possibilty to set suricata in debug mode?

109

Development and Code Review / Re: Wireguard in opnsense

« on: August 23, 2019, 09:54:38 am »

@tre4bax: i use only the default interface, which is made by the service itself. On it, have a rule, allowing all traffic.

Important: In NAT, you will have to change on hybrid, as you will have to nat also outgoing traffic, if using nat. You will have to enter a manual rule for your wireguard network there.

If you assigned wireguard to a separate network-interface, i am not sure, if this works properly.

110

Intrusion Detection and Prevention / Re: Suricata giving strange messages when enabling

« on: August 23, 2019, 07:56:33 am »

did not try out, thought would be enough to put this in suricata.yaml within the stats-section:

stats.decoder-events-prefix: true


tested it, doesnt work. Sorry. Checked the mentionned ticket on redmine, which also says nothing about this. Just the code in githut mentions,  that it's ignored if not true.

Code: [Select]

const char *prefix = NULL;

        if (ConfGet("stats.decoder-events-prefix", &prefix) != 1) {
            prefix = "decoder";
            SCLogWarning(SC_WARN_DEFAULT_WILL_CHANGE, "in 5.0 the default "
                    "for decoder event stats will go from "
                    "'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. "
                    "See ticket #2225. To suppress this message, "
                    "set stats.decoder-events-prefix in the yaml.");
        }
        stats_decoder_events_prefix = prefix;

111

Intrusion Detection and Prevention / Re: Suricata giving strange messages when enabling

« on: August 22, 2019, 07:01:53 am »

Thats just a warning, as of Suricata 5, things go little bit other. The warning also says how you can suppress this warning.

112

Intrusion Detection and Prevention / [solved, eventual bug]on 19.7.2: still no alerts in alert tab (no pp... on WAN!)

« on: August 20, 2019, 12:12:17 pm »

i still have nearly no warnings in alert tab, except i force it to. do others get alerted in suricata?

I know, there are a lot of threads about this, in each release. i thought i created one within the IDP section.

Config:
IDP, no IDS
no promiscuos mode
only monitoring physical
installed ALL available Rulesets which came by default (no telemetry, snort...)

113

19.7 Legacy Series / Re: block all traffic between VLANs

« on: August 20, 2019, 11:50:58 am »

as they are separate "NICs" i would say no. Its depending on the rules you set. Normally, the ruleset of the vlans is empty, means all blocked (default).

Most of do a target any/any rule per vlan.

114

19.7 Legacy Series / Re: Issues installing 19.7 on APU2D4

« on: August 20, 2019, 09:58:36 am »

had the same issue, changed usb-stick for installation. worked for me.

115

19.7 Legacy Series / Re: Backing up config to Nextcloud

« on: August 19, 2019, 02:30:42 pm »

i just read the docs now, as for me it works since implemented.

In the docs, they create an acess token, but don't need it fr the backup on nextcloud. You can just use a regular user and his password (easiest way, but not the securest, hacking the password offends your whole firewall config).

Or, if using an existing user, you can create the password token and copy it over as login credentials for the user, on which it's been created. Using this, your password of the user itself is "secured".

But: No need of any dav at all for your backup. The error will occur, as opnsense cannot login to your nextcloud server.

116

19.7 Legacy Series / [SOLVED] Re: maltrail: login impossible after changing password

« on: August 16, 2019, 07:41:55 am »

Had to reboot the sense, password then had been accepted.

117

19.7 Legacy Series / maltrail: login impossible after changing password

« on: August 16, 2019, 07:17:40 am »

After changing the sha-256 hash to my password in maltrail, i cannot login any further as admin.

The new password is correct hashed in /usr/local/share/maltrail/maltrail.conf. But nevertheless, wrong username/password is the reply.

118

19.7 Legacy Series / Re: 100% load after install of Sensei on pcengines apu4

« on: August 10, 2019, 07:02:51 am »

i think you are right. It stalls after the launch of elasticsearch.

119

19.7 Legacy Series / 100% load after install of Sensei on pcengines apu4

« on: August 09, 2019, 02:20:30 pm »

after installing sensei, i get a 100% load, on my apu4, which gets unresponsive.

how can i get the logs for further investigations?

120

Intrusion Detection and Prevention / Re: Problem with access between LAN and LAN_VLAN with IPS

« on: August 07, 2019, 04:14:18 pm »

your crossed answer was the right. disable promiscuous mode and the vlan interfaces.

check then, usually its been checked on the physical interface, nonetheless it will show up with your vlanmy config works like this.