Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Enabling IPS blocks traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Enabling IPS blocks traffic (Read 683 times)
justjohnin84
Newbie
Posts: 1
Karma: 0
Enabling IPS blocks traffic
«
on:
January 18, 2024, 12:20:36 am »
Greetings everyone,
I have installed OPNsense on my edge device (older Dell SFF - dual NIC). When I have the IPS enabled, it seems the signatures can update however, eventually without fail, my access to the web will be blocked or fail.
There is an error shown below, has anyone seen this before and know the fix to it? I have tried this three different times, separated by 2 weeks, to ensure it is the IPS service that is causing this.
Errors:
+++
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.tor.rules at line 1044
2023-12-22T15:11:52-06:00 Error suricata [100166] <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp [98.168.31.145,98.210.71.205,98.24.213.184,98.29.204.31,98.36.85.132,98.38.105.185,98.57.245.167,98.63.3.30,98.96.164.184,99.111.119.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 872"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522871; rev:5381; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2023_12_21;)"
+++
Has anyone seen this before? Also, I noticed that when the IPS service is enabled, OPNsense tries to renew it's DHCP public interface address for some strange reason which also will halt traffic because the process fails to return a new or re-issued IP address from my ISP.
Anyone encountered this problem before? I have also removed and reinstalled OPNsense with the same results.
Thanks,
John
Logged
notspam
Newbie
Posts: 5
Karma: 0
Re: Enabling IPS blocks traffic
«
Reply #1 on:
October 21, 2024, 01:13:51 am »
I have the same problem.
Opnsense 24.7.6 as fresh install 24.7 and Update to 24.7.6.
Then install ips.
I can see the duplicated entries in webinterface.
I post it to the ips section here:
https://forum.opnsense.org/index.php?topic=43524.0
«
Last Edit: October 21, 2024, 01:15:55 am by notspam
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Enabling IPS blocks traffic
