Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
24 7.6: ips error in configd.py
« previous
next »
Print
Pages: [
1
]
Author
Topic: 24 7.6: ips error in configd.py (Read 338 times)
notspam
Newbie
Posts: 5
Karma: 0
24 7.6: ips error in configd.py
«
on:
October 20, 2024, 02:06:24 pm »
Hello all,
someone here knowing the solution for this behaviour ?
After a while ips service is down.
In the event log i found:
Error configd.py Timeout (120) executing : ids list rulemetadata
After the IPS update check there is a traceback in log:
Error configctl error in configd communication Traceback (most recent call last): File "/usr/local/sbin/configctl", line 65, in exec_config_cmd line = sock.recv(65536).decode() ^^^^^^^^^^^^^^^^ TimeoutError: timed out
Starting the service manually brings ips back running.
Could soneone give me a hint ?
Thanks in advance.
________
Manual restart is working, but there is an event in the log:
Error configd.py [2043d2f8-7089-4509-bd8f-3920fc2e6bac] returned exit status 1
«
Last Edit: October 20, 2024, 11:52:44 pm by notspam
»
Logged
notspam
Newbie
Posts: 5
Karma: 0
Re: 24 7.6: ips error in configd.py
«
Reply #1 on:
October 21, 2024, 01:08:54 am »
Problem might be duplicate signature entries:
The question is how to fix it ?
[100878] <Error> -- Duplicate signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed"; flow:established,to_client; tls.certs; content:"|31 0b 30 09 06 03 55 04 06 13 02|US|31 11 30 0f 06 03 55 04 08 13 08|Illinois|31 13 30 11 06 03 55 04 07 13 0a|Naperville|31 09 30 07 06 03 55 04 09 13 00 31 0d 30 0b 06 03 55 04 11 13 04|"; fast_pattern; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037378; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, signature_severity Major, updated_at 2024_01_03;)"
Logged
notspam
Newbie
Posts: 5
Karma: 0
Re: 24 7.6: ips error in configd.py
«
Reply #2 on:
October 21, 2024, 09:53:11 pm »
How to fix this duplicated entries ?
2024-10-21T19:49:31 Error suricata [100756] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.emerging-chat.rules at line 190
2024-10-21T19:49:31 Error suricata [100756] <Error> -- Duplicate signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)"
Logged
someone
Full Member
Posts: 115
Karma: 2
Re: 24 7.6: ips error in configd.py
«
Reply #3 on:
November 01, 2024, 03:58:24 am »
would have to look at config file line 65
just a thought was it a auto update that didnt make connection
Logged
jonny5
Newbie
Posts: 36
Karma: 3
Re: 24 7.6: ips error in configd.py
«
Reply #4 on:
November 22, 2024, 07:27:34 am »
Also have noticed/seen the same error
It seems the rule build/move time period has expanded but I also think the log line "timeout" hits before 120 seconds has passed
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
24 7.6: ips error in configd.py