OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of XeroX »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - XeroX

Pages: 1 2 [3] 4 5 6
31
Web Proxy Filtering and Caching / Re: Squid SSL Inspection and Windows Updates
« on: June 15, 2021, 03:06:55 pm »
Hello,
I know this is a little old topic started by me but I got the time to set this up and got it working!

You've to add this to squid bump, make sure to include the leading "." It will include the domain itself and all subdomains:
Code: [Select]
.microsoft.com.akadns.net
.windowsupdate.com
.microsoft.com

The URLs listed in Squid Wiki are to much, I reduced this. However you can do it more granular. (https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates)

Additionally (Thx AndyX90) you have to import the following certificates:
Microsoft Root Certificate Authority 2011 - ROOT
Microsoft Update Secure Server CA 2.1 - INTERMEDIATE
Microsoft ECC Product Root Certificate Authority 2018 - ROOT
Microsoft ECC Content Distribution Secure Server CA 2.1 - INTERMEDIATE

You have to import every certificate that throws the following error in Cache Log:
kid1| ERROR: negotiating TLS on FD 49: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)   

Good luck ;)

32
21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 14, 2021, 12:01:33 pm »
I thought WAN has to be part of that, but is not logging/alerting. However it worked that way in the past.

I tried it with LAN only, results in the same behavior. However WAN was reachable so I was able to stop suricata via wireguard vpn :)

Nothing fancy here -.-:
Code: [Select]
27 Apr 14 11:53:24 OPNsense suricata[28570]: [100221] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
 28 Apr 14 11:53:26 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1/R from igb1: 0x662f9cde000
 29 Apr 14 11:53:27 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1^ from igb1^: 0x662f9cde300
 30 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1^ from igb1^: 0x66323dcf000
 31 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1/T from igb1: 0x66323dcf300
 32 Apr 14 11:53:27 OPNsense suricata[28570]: [100221] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
 33 Apr 14 11:57:37 OPNsense suricata[28570]: [100221] <Notice> -- Signal Received.  Stopping engine.
 34 Apr 14 11:58:38 OPNsense suricata[28570]: [100221] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine

Code: [Select]
187 igb1: link state changed to UP
188 igb1_vlan2: link state changed to UP
189 igb1_vlan3: link state changed to UP
190 igb0: link state changed to UP
191 pflog0: promiscuous mode enabled
192 pflog0: promiscuous mode disabled
193 pflog0: promiscuous mode enabled
194 pflog0: promiscuous mode disabled
195 pflog0: promiscuous mode enabled
196 pflog0: promiscuous mode disabled
197 pflog0: promiscuous mode enabled
198 tun0: link state changed to UP
199 tun0: changing name to 'wg0'
200 pflog0: promiscuous mode disabled
201 pflog0: promiscuous mode enabled
202 pflog0: promiscuous mode disabled
203 pflog0: promiscuous mode enabled
204 pid 43540 (syslogd), jid 0, uid 0: exited on signal 11 (core dumped)
205 pflog0: promiscuous mode disabled
206 pflog0: promiscuous mode enabled
207 pflog0: promiscuous mode disabled
208 pflog0: promiscuous mode enabled
209 [HBSD SEGVGUARD] [/usr/local/sbin/syslogd (5818)] Suspension expired.
210  -> pid: 5818 ppid: 47253 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
211 pflog0: promiscuous mode disabled


Could this be releated to "net.bpf.zerocopy_enable=1" ?

EDIT: Even with Debug Logging enabled, it looks good.

Code: [Select]
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- CPUs/cores online: 4
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1 from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1^ from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'request-body-minimal-inspect-size' set to 33713 and 'request-body-inspect-window' set to 4276 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'response-body-minimal-inspect-size' set to 39729 and 'response-body-inspect-window' set to 16683 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- SMB stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus request flood protection level: 500
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for enip protocol.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for DNP3.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 1000 hosts of size 104
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Core dump size is unlimited.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Netmap: Setting IPS mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 65535 defrag trackers of size 128
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- defrag memory usage: 9961344 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- flow size 288, memcap allows for 466033 flows. Per hash row in perfect conditions 7
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "prealloc-sessions": 2048 (per thread)
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "memcap": 67108864
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "midstream" session pickups: disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "async-oneside": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "checksum-validation": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream."inline": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "bypass": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "max-synack-queued": 5
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "memcap": 268435456
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "depth": 1048576
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toserver-chunk-size": 2660
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toclient-chunk-size": 2480
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly.raw: enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "segment-prealloc": 2048
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- eve-log output device (regular) initialized: eve.json
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'alert'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'anomaly'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'drop'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- stats output device (regular) initialized: stats.log
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Syslog output initialized
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Delayed detect disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- pattern matchers: MPM: hs, SPM: hs
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toclient-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toserver-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: udp-whitelist (default) 53, 135, 5060
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- prefilter engines: MPM
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_client_body
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_enc
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_lang
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_referer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_connection
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.location
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header_name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dnp3_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.sni
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_issuer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_serial
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_fingerprint
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3s.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for smb_named_pipe
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_cname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_sname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.stat_msg
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for rfb.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.clientid
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.username
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.password
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willtopic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willmessage
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.message
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.subscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.unsubscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- IP reputation disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/OPNsense.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from OPNsense.rules.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/botcc.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/emerging-exploit.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/compromised.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-chrome.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-firefox.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-ie.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit-kit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.exploit.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.scan.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.scan.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-linux.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-mobile.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-windows.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 14 rule files processed. 3949 rules successfully loaded, 1 rules failed
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- Threshold config parsed: 0 rule(s) found
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-stream
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for other-ip
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 3949 signatures processed. 202 are IP-only rules, 389 are inspecting packet payload, 1365 inspect application layer, 0 are decoder event only
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- building signature grouping structure, stage 1: preprocessing rules... complete
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2024192 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2025195 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HB.Request.SI' is checked but not set. Checked in 2018378 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ttf' is checked but not set. Checked in 35523 and 17 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.mht' is checked but not set. Checked in 49799 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.exe' is checked but not set. Checked in 18405 and 183 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf' is checked but not set. Checked in 26539 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.emf' is checked but not set. Checked in 38773 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf' is checked but not set. Checked in 33272 and 2 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Checked in 25302 and 6 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.cws' is checked but not set. Checked in 24670 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Checked in 24669 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg' is checked but not set. Checked in 21510 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.elf' is checked but not set. Checked in 37435 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.lnk' is checked but not set. Checked in 45624 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.dat' is checked but not set. Checked in 40393 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Checked in 37277 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.application' is checked but not set. Checked in 36712 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls' is checked but not set. Checked in 35984 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toserver: 173 port groups, 83 unique SGH's, 90 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toclient: 52 port groups, 19 unique SGH's, 33 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toserver: 39 port groups, 20 unique SGH's, 19 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toclient: 9 port groups, 5 unique SGH's, 4 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toserver: 2 proto groups, 1 unique SGH's, 1 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toclient: 2 proto groups, 0 unique SGH's, 2 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Unique rule groups: 128
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP packet": 26
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP packet": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP stream": 65
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP stream": 16
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver UDP packet": 20
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient UDP packet": 5
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "other IP packet": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_uri (http)": 13
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_raw_uri (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_request_line (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_client_body (http)": 6
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_user_agent (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_stat_code (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver tls.sni (tls)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (dcerpc)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smtp)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (http2)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http2)": 10
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:33 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1/R from igb1: 0x4e4d53fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4d53fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1^
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4ea7fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1/T from igb1: 0x4e4ea7fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow manager threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow recycler threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Signal Received.  Stopping engine.
Apr 14 12:59:55 OPNsense suricata[38494]: [100402] <Perf> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- time elapsed 21.392s
Apr 14 12:59:55 OPNsense suricata[38494]: [100414] <Perf> -- 52 flows processed
Apr 14 12:59:55 OPNsense suricata[38494]: [100390] <Perf> -- (W#01-igb1) Kernel: Packets 359, dropped 0, bytes 42618
Apr 14 12:59:55 OPNsense suricata[38494]: [100406] <Perf> -- (W#01-igb1^) Kernel: Packets 726, dropped 0, bytes 692065
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- Alerts: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- ippair memory usage: 382144 bytes, maximum: 16777216
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- cleaning up signature grouping structure... complete
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1':  pkts: 359, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1^':  pkts: 726, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Cleaning up Hyperscan global scratch
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Clearing Hyperscan database cache

33
21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 14, 2021, 01:11:08 am »
Thank you franco.

So I can't find out what the issue here. I loose the connection pretty perfect after 3 minutes of uptime. Nothing in the logs, nothing in suricata log. Suricata is running like 2 minutes+ then roughly 30 seconds after system is up.

Shutting down the system via "short press of power button" takes like 1-2 minutes, then I'm able to ping the system again before full shutdown (as suricata shutdown seems close to system shutdown).

5 x Intel i211AT (2 plugged in)
2 x VLANs (not mapped in suricata of course)

Code: [Select]
2021-04-14T01:03:14 suricata[59758] [100259] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine
2021-04-14T01:02:13 suricata[59758] [100259] <Notice> -- Signal Received. Stopping engine.
2021-04-14T00:59:57 suricata[59758] [100259] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x753e7ffc300
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753e7ffc000
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753d2db1300
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x753d2db1000
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1/T from igb1: 0x753933fc300
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1^ from igb1^: 0x753933fc000
2021-04-14T00:59:57 suricata[59758] [100316] <Notice> -- opened netmap:igb1^ from igb1^: 0x7537e3d3300
2021-04-14T00:59:56 suricata[59758] [100316] <Notice> -- opened netmap:igb1/R from igb1: 0x7537e3d3000
system.log
Code: [Select]
Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode disabled
Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode enabled
Apr 14 00:59:55 OPNsense kernel: OK
Apr 14 00:59:56 OPNsense kernel: igb1: permanently promiscuous mode enabled
Apr 14 00:59:56 OPNsense kernel: igb1: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan2: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan3: link state changed to DOWN
Apr 14 00:59:57 OPNsense opnsense-devel[61802]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense opnsense-devel[25342]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(opt3) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: 797.304698 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.313687 [1035] generic_netmap_dtor       Emulated netmap adapter for pppoe0 destroyed
Apr 14 00:59:57 OPNsense kernel: pppoe0: permanently promiscuous mode enabled
Apr 14 00:59:57 OPNsense kernel: 797.324028 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.333117 [ 320] generic_netmap_register   Emulated adapter for pppoe0 activated
Apr 14 00:59:57 OPNsense opnsense-devel[61189]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXXX(opt6) but ignoring since interface is configured with static IP (XXXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: SHA256 12 23 34 56 78 AA BB CC DD EE FF AA EE AA EE
Apr 14 01:00:01 OPNsense kernel: igb1: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan2: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan3: link state changed to UP
Apr 14 01:00:01 OPNsense opnsense-devel[40612]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: On (IP address: XXXXXX) (interface: XXXXX[lan]) (real interface: igb1).
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: plugins_configure hosts ()

34
21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 11, 2021, 06:15:39 pm »
Can't get this to run. Maybe a problem with compiling on a small system.

@franco
When will be the next push/recompile for the dev version so I can investigate further?

Beside that I submitted Hyperscan 5.4.0 to FreeBSD Ports.

https://www.freshports.org/devel/hyperscan/

35
21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 02, 2021, 03:50:24 pm »
So after hours of compiling, it does not work for me. Suricata kills all my network connections. Nothing fancy in the logs:
Code: [Select]
Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1/R from igb1: 0x3a3abb1a000
Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3abb1a300
Apr  2 15:21:43 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3c247b000
Apr  2 15:21:44 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1/T from igb1: 0x3a3c247b300
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x3a3ecd66000
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a3ecd66300
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a401dfc000
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x3a401dfc300
Apr  2 15:21:44 OPNsense suricata[31904]: [100851] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
Apr  2 15:22:58 OPNsense suricata[31904]: [100851] <Notice> -- rule reload starting
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100

I was able to connect on startup and kill suricata quickly.

Additionally I contributed to FreeBSD updating Hyperscan to 5.4.0.

36
21.1 Legacy Series / Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 01, 2021, 07:49:52 pm »
No worries :) I like bleeding edge so I've to live with that and help to find the bugs before others do :P

Was really suprised noone posted this yet.

Will give feedback in a minute.

EDIT: I think this will take some hours...i3-5020 is not the fastest compiling rust.

37
21.1 Legacy Series / Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 01, 2021, 07:44:57 pm »
Currently recompilng suricata-devel. Hyperscan is not ticked in default. Hyperscan itself is installed.

Proof:
Code: [Select]
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed

38
21.1 Legacy Series / [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 01, 2021, 07:35:01 pm »
Hello,
thanks for the update to 21.1.4 and Suricata 6.x on Devel.

Suricata does not want to start after the update.

The log shows:
Code: [Select]
2021-04-01T18:34:09 root[7389] /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Manual start shows:
Code: [Select]
1/4/2021 -- 19:31:36 - <Info> - Including configuration file installed_rules.yaml.
1/4/2021 -- 19:31:36 - <Info> - Configuration node 'rule-files' redefined.
1/4/2021 -- 19:31:36 - <Info> - Including configuration file custom.yaml.
./suricata: WARNING: failed to start suricata
Code: [Select]
OPNsense 21.7.a_314-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
LibreSSL 3.2.5
Trying to investigate further or does it simply require a reinstall?

EDIT: Looks like Hyperscan support is missing with this build.


Code: [Select]
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.

Recompiling /usr/ports/opnsense/suricata-devel

39
Development and Code Review / Re: How to update MAC vendor db?
« on: January 27, 2021, 04:17:33 pm »
Thank you <3


40
Development and Code Review / Re: How to update MAC vendor db?
« on: January 22, 2021, 01:57:52 pm »
Its done :) Thank you franco.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249382

Hope we can enjoy this in an upcoming future release.

41
Development and Code Review / Re: How to update MAC vendor db?
« on: January 21, 2021, 12:47:32 pm »
Hello Franco,
thanks for your patince and staying on that topic!

I'll keep track of this aswell :) (as you may have noticed) :D

42
Development and Code Review / Re: How to update MAC vendor db?
« on: January 21, 2021, 01:05:25 am »
Quote from: franco on September 23, 2020, 01:40:35 pm
More discussion here. I'm not sure where this stands in FreeBSD as there is some kerfuffle about Python version support.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249382


Cheers,
Franco

There seems to be a patch now and waiting for maintainer approval?

43
20.7 Legacy Series / Re: 20.7.7 Upgrade Broke Gateway Status and looking to fix it
« on: December 24, 2020, 01:16:23 pm »
I've the same issue. Gateway is always down, dpinger doesn't want to start.

OPNsense 21.1.a_272-amd64
FreeBSD 12.1-RELEASE-p11-HBSD
LibreSSL 3.1.5

44
Development and Code Review / Re: How to update MAC vendor db?
« on: December 09, 2020, 12:23:17 pm »
Any updates on this?

45
20.7 Legacy Series / Re: Safe to delete?
« on: October 23, 2020, 11:07:21 am »
Quote from: franco on October 23, 2020, 07:33:04 am
No.


Cheers,
Franco

Thank you, so I/we can safely ignore these messages.

Pages: 1 2 [3] 4 5 6
OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2