Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Problem starting IPS because of bad rules from urlhaus
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problem starting IPS because of bad rules from urlhaus (Read 2424 times)
bitzap
Newbie
Posts: 6
Karma: 1
Problem starting IPS because of bad rules from urlhaus
«
on:
September 21, 2020, 03:29:02 pm »
Hi all,
I just want to inform, in the actual (21.9.2020 15:00 CEST) abuse.ch/URLhaus rules is a bug wich prevents the IPS from starting
[100151] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (510560)"; flow:established,from_client; content:"GET"; http_method; conte" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 73508
OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
CPU Type AMD G-T40N Processor (2 cores)
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Problem starting IPS because of bad rules from urlhaus
«
Reply #1 on:
September 21, 2020, 04:12:42 pm »
Just ping them via twitter or support contact, they can fix it really fast
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
bitzap
Newbie
Posts: 6
Karma: 1
Re: Problem starting IPS because of bad rules from urlhaus
«
Reply #2 on:
September 23, 2020, 04:25:25 pm »
I found the problem in my setup.
In the past 10 days there was a huge amount of new submissions to urlhaus, which results in a big increase of rules (from 30000 to 160000)
https://urlhaus.abuse.ch/statistics/
My hardware (APU 2G RAM) was probably to poor in performance to load all rules in a reasonable time.
Logged
Helle
Newbie
Posts: 24
Karma: 1
Re: Problem starting IPS because of bad rules from urlhaus
«
Reply #3 on:
September 29, 2020, 02:01:04 pm »
I have an APU2D4 with 4Gigs of ram and can not start Suricata unless i disable abuse.ch/URLhaus
Have reloaded that rule several times over a couple of days and when launching Suricata, my memory load goes up around 95% and after a long time Suricata i down. Have tried both Aho and Hyperscan but it is no longer possible to load URLhaus. Maybe if I disable some or all other rulses but they are not optional.
This used to work in the past and I do not know if it is only a matter of the list has grown or if new Suricata 5 is playing a role..
maybe it is possible to stop some services during the 25 minutes suricata takes to load the rules and when suricata is launched and the memory load goes down a bit, the stopped services could be started ??
That is not a good work around since reloading rules should be non interactive and scheduled.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Problem starting IPS because of bad rules from urlhaus