Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
18.7.10 and Suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: 18.7.10 and Suricata (Read 4347 times)
JohnDoe17
Newbie
Posts: 40
Karma: 5
18.7.10 and Suricata
«
on:
January 21, 2019, 10:35:05 pm »
Hello.
Are there known issues with Suricata and OPNsense 18.7.10_3? I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more. Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any! Seems hard to believe.
I have OPNsense configured to use it on a number of internal interfaces, but not WAN. And I have chosen Hyperscan as the matching engine. (I did try the default engine too, but that didn't seem to make a difference.)
I'm using
http://testmyids.com
to try to stimulate an alert. This has worked in the past, but nothing happens after the upgrade.
Any ideas?
P.S. I really love OPNsense. I've been using it for a couple of years, and I recommend it to others. Thanks for the great work!
Logged
franco
Administrator
Hero Member
Posts: 17659
Karma: 1611
Re: 18.7.10 and Suricata
«
Reply #1 on:
January 22, 2019, 08:02:23 am »
Hi,
Suricata 4.1.2 could have issues. We're not sure at this point.
Can you try to revert Suricata, i.e.
# opnsense-revert -r 18.7.9 suricata
And restart the service manually.
Cheers,
Franco
Logged
MakesSense
Newbie
Posts: 17
Karma: 2
Re: 18.7.10 and Suricata
«
Reply #2 on:
January 22, 2019, 12:28:38 pm »
For me it was the same, almost all alerts disappeared when I upgraded to Suricata 4.1.2. I found that the OISF/suricata rules disappeared when I upgraded. That rules set makes a lot of noice especially if you have the STREAM rules enabled, but many of them I find very useful.
Some rules didn't load properly with 4.1.2 when I downloaded them manually, so I added my own STREAM rules based on the rules in that rules set.
The OISF/suricata rules can be found here:
https://github.com/OISF/suricata/tree/master/rules
«
Last Edit: January 22, 2019, 03:46:36 pm by MakesSense
»
Logged
JohnDoe17
Newbie
Posts: 40
Karma: 5
Re: 18.7.10 and Suricata
«
Reply #3 on:
January 23, 2019, 05:49:28 pm »
Well, after reverting, I seem to be getting alerts again. And the rules lists are downloading again.
Thanks, Franco.
I assume if this gets sorted out in the future, when I upgrade to 19.1.x, the reverted version will upgrade at that time too?
Logged
myksto
Full Member
Posts: 106
Karma: 6
Re: 18.7.10 and Suricata
«
Reply #4 on:
January 25, 2019, 09:08:27 am »
I too noted the same issue.
When I restart suricata service I saw these errors in logs:
Jan 25 08:56:13 suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "</html>" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 148
Jan 25 08:56:13 suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "<html lang="en">" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 2
Jan 25 08:56:13 suricata[56125]: [101214] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "<!doctype html>" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.feodotracker.rules at line 1
Jan 25 08:56:13 suricata: [100116] <Notice> --
This is Suricata version 4.1.2 RELEASE
No alerts are stored.
After the revert to versione 4.0.6 alerts are shown again even though the above errors appears the same (maybe it's another kind of problem that has nothing to do with new version of Suricata).
There is some problem with new version of Suricata.
Best regards,
Michele.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
18.7.10 and Suricata
