Messages

16

21.7 Production Series / Re: OPNSense Upgrade 21.7

« on: July 29, 2021, 10:01:37 am »

I remember that the first update installed kernel and packages. The package proably failed due to missing pyhton module and configd was not able to start. The system rebooted.

It ended up like I described before and all packages where marked as missing. Shouldn't all single packages be reinstalled as well?

Can I provide any logfiles to help? Will check .upgrade.log.

17

21.7 Production Series / Re: OPNSense Upgrade 21.7

« on: July 28, 2021, 11:11:00 pm »

Okay, I got this def*cked.

- Removed check on:  Console menu    Password protect the console menu
- Was able to access console again.
- run pkg update
- run opnsense-update -u
- dont reboot
- run opnsense-update to install all packages that where missing

Nightmare Now everything works fine again.

Still shows "OPNsense 21.1.9_1-amd64" but uname -a shows 21.7.

EDIT:
Update for packages is normal?
packages   21.1.9_1   21.7   upgrade   OPNsense

This gives some configd errors again, but runs through and then everything went on normal.


Thanks to everyone.

18

21.7 Production Series / Re: OPNSense Upgrade 21.7

« on: July 28, 2021, 10:44:26 pm »

Twitter user had a similar issue and suggested that the following fixed it:

# opnsense-update -u


Cheers,
Franco

Sadly I'm not able to access OPNSense via Console or SSH. Any tips how to restore the access?

Is there anything like with linux to boot with init=/bin/sh

19

21.7 Production Series / OPNSense Upgrade 21.7

« on: July 28, 2021, 06:06:56 pm »

Hello,
my setup seems to be broke after the update.

Updated via console and it is leaving me with a 10 minute reboot. configd does not start as some pyhton library is missing. I'm not able to ssh or login on console via root or my user account. It say login incorrect or access denied.

I can login via web, but I'm not able to see logs or running the update again. The dashboard stays empty and the widgets throw an error.

Warning: Invalid argument supplied for foreach() in /usr/local/www/widgets/widgets/smart_status.widget.php on line 48

Is there any way to recover from it? The missing python library seems to be jinja2.

Report is sent via WebUI, maybe someone can see the full log, as I cant.

Any chances to modify the boot parameter to be logged in as root without pw prompt?

Cheers

20

21.7 Production Series / Re: Unable to upgrade from OPNsense 21.1.9_1-amd64 to 21.7

« on: July 28, 2021, 04:40:22 pm »

So my OPNSense seems to be little broken.

Startup takes 10 minutes. configd does not start due to missing pyhton library.

SSH gives me "Access denied" for all users + root.

EDIT: Problem report sent. Maybe franco can see more from his side, as I'm not able to access opnsense logs anymore. However internet access is restored, but can view logs or access via ssh.

21

Intrusion Detection and Prevention / Re: Suricata keeps crashing after last update

« on: June 27, 2021, 01:13:16 pm »

Development Stream?

22

21.1 Legacy Series / Re: 21.1.7: Suricata alert log not working

« on: June 20, 2021, 12:35:40 pm »

I can reprocude this as well.

Without patch:
- Go to alerts
- Change Page or count from 7 to X
- Alerts completly disappear even when changing back to 7

With patch:
- changing count from 7 does not have any effect
- changing page works


Question beside that, why 7? Any chance to default this to something usefull?

23

21.1 Legacy Series / Re: 21.1.7: Updates tab is hanging

« on: June 18, 2021, 01:14:33 pm »

Everything was working fine, except these log entries during the update:

Code: [Select]

Checking integrity... done (1 conflicting)
  - php73-phalcon4-4.1.2 conflicts with php73-phalcon-3.4.5 on /usr/local/etc/php/ext-30-phalcon.ini

Code: [Select]

Starting configd.

Fatal error: Uncaught Error: Class 'Phalcon\Validation\Validator' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Constraints/BaseConstraint.php:37
Stack trace:
#0 [internal function]: unknown()
#1 [internal function]: Phalcon\Loader->autoLoad('OPNsense\\Base\\C...')
#2 [internal function]: spl_autoload_call('OPNsense\\Base\\C...')
#3 /usr/local/opnsense/mvc/script/run_migrations.php(50): ReflectionClass->__construct('OPNsense\\Base\\C...')
#4 {main}
  thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Base/Constraints/BaseConstraint.php on line 37

24

Web Proxy Filtering and Caching / Re: Let's Encrypt and SSL Content Filtering

« on: June 16, 2021, 11:08:47 am »

Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?

Let me rephrase the above question... Has anyone used Captive Portal to push a self-signed cert to a guest machine, when there is no GPO/AD?

No, this does not work. You can't push certificates to a client, that you don't have access.

25

Web Proxy Filtering and Caching / Re: Squid SSL Inspection and Windows Updates

« on: June 15, 2021, 03:06:55 pm »

Hello,
I know this is a little old topic started by me but I got the time to set this up and got it working!

You've to add this to squid bump, make sure to include the leading "." It will include the domain itself and all subdomains:

Code: [Select]

.microsoft.com.akadns.net
.windowsupdate.com
.microsoft.com

The URLs listed in Squid Wiki are to much, I reduced this. However you can do it more granular. (https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates)

Additionally (Thx AndyX90) you have to import the following certificates:
Microsoft Root Certificate Authority 2011 - ROOT
Microsoft Update Secure Server CA 2.1 - INTERMEDIATE
Microsoft ECC Product Root Certificate Authority 2018 - ROOT
Microsoft ECC Content Distribution Secure Server CA 2.1 - INTERMEDIATE

You have to import every certificate that throws the following error in Cache Log:
kid1| ERROR: negotiating TLS on FD 49: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)   

Good luck

26

21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 14, 2021, 12:01:33 pm »

I thought WAN has to be part of that, but is not logging/alerting. However it worked that way in the past.

I tried it with LAN only, results in the same behavior. However WAN was reachable so I was able to stop suricata via wireguard vpn

Nothing fancy here -.-:

Code: [Select]

27 Apr 14 11:53:24 OPNsense suricata[28570]: [100221] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
 28 Apr 14 11:53:26 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1/R from igb1: 0x662f9cde000
 29 Apr 14 11:53:27 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1^ from igb1^: 0x662f9cde300
 30 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1^ from igb1^: 0x66323dcf000
 31 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1/T from igb1: 0x66323dcf300
 32 Apr 14 11:53:27 OPNsense suricata[28570]: [100221] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
 33 Apr 14 11:57:37 OPNsense suricata[28570]: [100221] <Notice> -- Signal Received.  Stopping engine.
 34 Apr 14 11:58:38 OPNsense suricata[28570]: [100221] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine


Code: [Select]

187 igb1: link state changed to UP
188 igb1_vlan2: link state changed to UP
189 igb1_vlan3: link state changed to UP
190 igb0: link state changed to UP
191 pflog0: promiscuous mode enabled
192 pflog0: promiscuous mode disabled
193 pflog0: promiscuous mode enabled
194 pflog0: promiscuous mode disabled
195 pflog0: promiscuous mode enabled
196 pflog0: promiscuous mode disabled
197 pflog0: promiscuous mode enabled
198 tun0: link state changed to UP
199 tun0: changing name to 'wg0'
200 pflog0: promiscuous mode disabled
201 pflog0: promiscuous mode enabled
202 pflog0: promiscuous mode disabled
203 pflog0: promiscuous mode enabled
204 pid 43540 (syslogd), jid 0, uid 0: exited on signal 11 (core dumped)
205 pflog0: promiscuous mode disabled
206 pflog0: promiscuous mode enabled
207 pflog0: promiscuous mode disabled
208 pflog0: promiscuous mode enabled
209 [HBSD SEGVGUARD] [/usr/local/sbin/syslogd (5818)] Suspension expired.
210  -> pid: 5818 ppid: 47253 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
211 pflog0: promiscuous mode disabled


Could this be releated to "net.bpf.zerocopy_enable=1" ?

EDIT: Even with Debug Logging enabled, it looks good.

Code: [Select]

Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- CPUs/cores online: 4
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1 from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1^ from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'request-body-minimal-inspect-size' set to 33713 and 'request-body-inspect-window' set to 4276 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'response-body-minimal-inspect-size' set to 39729 and 'response-body-inspect-window' set to 16683 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- SMB stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus request flood protection level: 500
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for enip protocol.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for DNP3.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 1000 hosts of size 104
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Core dump size is unlimited.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Netmap: Setting IPS mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 65535 defrag trackers of size 128
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- defrag memory usage: 9961344 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- flow size 288, memcap allows for 466033 flows. Per hash row in perfect conditions 7
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "prealloc-sessions": 2048 (per thread)
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "memcap": 67108864
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "midstream" session pickups: disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "async-oneside": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "checksum-validation": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream."inline": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "bypass": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "max-synack-queued": 5
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "memcap": 268435456
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "depth": 1048576
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toserver-chunk-size": 2660
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toclient-chunk-size": 2480
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly.raw: enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "segment-prealloc": 2048
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- eve-log output device (regular) initialized: eve.json
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'alert'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'anomaly'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'drop'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- stats output device (regular) initialized: stats.log
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Syslog output initialized
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Delayed detect disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- pattern matchers: MPM: hs, SPM: hs
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toclient-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toserver-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: udp-whitelist (default) 53, 135, 5060
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- prefilter engines: MPM
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_client_body
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_enc
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_lang
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_referer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_connection
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.location
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header_name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dnp3_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.sni
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_issuer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_serial
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_fingerprint
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3s.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for smb_named_pipe
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_cname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_sname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.stat_msg
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for rfb.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.clientid
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.username
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.password
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willtopic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willmessage
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.message
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.subscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.unsubscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- IP reputation disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/OPNsense.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from OPNsense.rules.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/botcc.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/emerging-exploit.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/compromised.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-chrome.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-firefox.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-ie.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit-kit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.exploit.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.scan.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.scan.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-linux.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-mobile.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-windows.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 14 rule files processed. 3949 rules successfully loaded, 1 rules failed
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- Threshold config parsed: 0 rule(s) found
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-stream
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for other-ip
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 3949 signatures processed. 202 are IP-only rules, 389 are inspecting packet payload, 1365 inspect application layer, 0 are decoder event only
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- building signature grouping structure, stage 1: preprocessing rules... complete
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2024192 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2025195 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HB.Request.SI' is checked but not set. Checked in 2018378 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ttf' is checked but not set. Checked in 35523 and 17 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.mht' is checked but not set. Checked in 49799 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.exe' is checked but not set. Checked in 18405 and 183 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf' is checked but not set. Checked in 26539 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.emf' is checked but not set. Checked in 38773 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf' is checked but not set. Checked in 33272 and 2 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Checked in 25302 and 6 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.cws' is checked but not set. Checked in 24670 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Checked in 24669 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg' is checked but not set. Checked in 21510 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.elf' is checked but not set. Checked in 37435 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.lnk' is checked but not set. Checked in 45624 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.dat' is checked but not set. Checked in 40393 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Checked in 37277 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.application' is checked but not set. Checked in 36712 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls' is checked but not set. Checked in 35984 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toserver: 173 port groups, 83 unique SGH's, 90 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toclient: 52 port groups, 19 unique SGH's, 33 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toserver: 39 port groups, 20 unique SGH's, 19 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toclient: 9 port groups, 5 unique SGH's, 4 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toserver: 2 proto groups, 1 unique SGH's, 1 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toclient: 2 proto groups, 0 unique SGH's, 2 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Unique rule groups: 128
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP packet": 26
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP packet": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP stream": 65
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP stream": 16
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver UDP packet": 20
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient UDP packet": 5
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "other IP packet": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_uri (http)": 13
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_raw_uri (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_request_line (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_client_body (http)": 6
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_user_agent (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_stat_code (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver tls.sni (tls)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (dcerpc)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smtp)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (http2)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http2)": 10
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:33 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1/R from igb1: 0x4e4d53fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4d53fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1^
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4ea7fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1/T from igb1: 0x4e4ea7fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow manager threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow recycler threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Signal Received.  Stopping engine.
Apr 14 12:59:55 OPNsense suricata[38494]: [100402] <Perf> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- time elapsed 21.392s
Apr 14 12:59:55 OPNsense suricata[38494]: [100414] <Perf> -- 52 flows processed
Apr 14 12:59:55 OPNsense suricata[38494]: [100390] <Perf> -- (W#01-igb1) Kernel: Packets 359, dropped 0, bytes 42618
Apr 14 12:59:55 OPNsense suricata[38494]: [100406] <Perf> -- (W#01-igb1^) Kernel: Packets 726, dropped 0, bytes 692065
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- Alerts: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- ippair memory usage: 382144 bytes, maximum: 16777216
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- cleaning up signature grouping structure... complete
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1':  pkts: 359, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1^':  pkts: 726, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Cleaning up Hyperscan global scratch
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Clearing Hyperscan database cache


27

21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 14, 2021, 01:11:08 am »

Thank you franco.

So I can't find out what the issue here. I loose the connection pretty perfect after 3 minutes of uptime. Nothing in the logs, nothing in suricata log. Suricata is running like 2 minutes+ then roughly 30 seconds after system is up.

Shutting down the system via "short press of power button" takes like 1-2 minutes, then I'm able to ping the system again before full shutdown (as suricata shutdown seems close to system shutdown).

5 x Intel i211AT (2 plugged in)
2 x VLANs (not mapped in suricata of course)

Code: [Select]

2021-04-14T01:03:14 suricata[59758] [100259] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine
2021-04-14T01:02:13 suricata[59758] [100259] <Notice> -- Signal Received. Stopping engine.
2021-04-14T00:59:57 suricata[59758] [100259] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x753e7ffc300
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753e7ffc000
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753d2db1300
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x753d2db1000
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1/T from igb1: 0x753933fc300
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1^ from igb1^: 0x753933fc000
2021-04-14T00:59:57 suricata[59758] [100316] <Notice> -- opened netmap:igb1^ from igb1^: 0x7537e3d3300
2021-04-14T00:59:56 suricata[59758] [100316] <Notice> -- opened netmap:igb1/R from igb1: 0x7537e3d3000
system.log

Code: [Select]

Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode disabled
Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode enabled
Apr 14 00:59:55 OPNsense kernel: OK
Apr 14 00:59:56 OPNsense kernel: igb1: permanently promiscuous mode enabled
Apr 14 00:59:56 OPNsense kernel: igb1: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan2: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan3: link state changed to DOWN
Apr 14 00:59:57 OPNsense opnsense-devel[61802]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense opnsense-devel[25342]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(opt3) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: 797.304698 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.313687 [1035] generic_netmap_dtor       Emulated netmap adapter for pppoe0 destroyed
Apr 14 00:59:57 OPNsense kernel: pppoe0: permanently promiscuous mode enabled
Apr 14 00:59:57 OPNsense kernel: 797.324028 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.333117 [ 320] generic_netmap_register   Emulated adapter for pppoe0 activated
Apr 14 00:59:57 OPNsense opnsense-devel[61189]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXXX(opt6) but ignoring since interface is configured with static IP (XXXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: SHA256 12 23 34 56 78 AA BB CC DD EE FF AA EE AA EE
Apr 14 01:00:01 OPNsense kernel: igb1: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan2: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan3: link state changed to UP
Apr 14 01:00:01 OPNsense opnsense-devel[40612]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: On (IP address: XXXXXX) (interface: XXXXX[lan]) (real interface: igb1).
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: plugins_configure hosts ()


28

21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 11, 2021, 06:15:39 pm »

Can't get this to run. Maybe a problem with compiling on a small system.

@franco
When will be the next push/recompile for the dev version so I can investigate further?

Beside that I submitted Hyperscan 5.4.0 to FreeBSD Ports.

https://www.freshports.org/devel/hyperscan/

29

21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 02, 2021, 03:50:24 pm »

So after hours of compiling, it does not work for me. Suricata kills all my network connections. Nothing fancy in the logs:

Code: [Select]

Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1/R from igb1: 0x3a3abb1a000
Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3abb1a300
Apr  2 15:21:43 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3c247b000
Apr  2 15:21:44 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1/T from igb1: 0x3a3c247b300
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x3a3ecd66000
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a3ecd66300
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a401dfc000
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x3a401dfc300
Apr  2 15:21:44 OPNsense suricata[31904]: [100851] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
Apr  2 15:22:58 OPNsense suricata[31904]: [100851] <Notice> -- rule reload starting
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100

I was able to connect on startup and kill suricata quickly.

Additionally I contributed to FreeBSD updating Hyperscan to 5.4.0.

30

21.1 Legacy Series / Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 01, 2021, 07:49:52 pm »

No worries I like bleeding edge so I've to live with that and help to find the bugs before others do

Was really suprised noone posted this yet.

Will give feedback in a minute.

EDIT: I think this will take some hours...i3-5020 is not the fastest compiling rust.