Error reconfiguring IDS: error installing ids rules ()

Started by geo, May 17, 2021, 10:38:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 17, 2021, 10:38:08 PM
Hello,

I'm getting this error "Error reconfiguring IDS: error installing ids rules ()" when trying to enable IDS/IPS and not sure how to further diagnose/fix.

I using an APU2/4G RAM that's running the current OPNsense 21.1.5-amd64 release. For DNS using unbound and strictly DNS over TLS forwarded to Cloudfare and Quad 9 servers.

I looked through https://forum.opnsense.org/index.php?topic=18424.0 for suggestions but nothing helped. I have disabled IDS/IPS for the time being and would appreciate any help to further troubleshoot this.

I've included part of my configd.log around the time when the error is thrown:

Code Select
May 17 16:03:42 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/reference.config
May 17 16:03:42 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-updater.config
May 17 16:03:42 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-policies.config
May 17 16:03:42 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rules.config
May 17 16:03:42 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/suricata.yaml
May 17 16:04:07 homehost configd.py[16836]: [3742f419-3143-4020-90a8-a89480ac2a68] Show log
May 17 16:07:34 homehost configd.py[16836]: [5d79ee33-c54d-4edc-84ef-f970a68e7c1b] Show log
May 17 16:08:39 homehost configd.py[16836]: [fc6ee590-4d91-4ea8-8bf6-6f4a129bec38] request suricata rule metadata
May 17 16:10:15 homehost configd.py[16836]: [a08ef3c4-1f9c-4e05-8d29-495bdf8af6dd] get suricata daemon status
May 17 16:10:15 homehost configd.py[16836]: [7580e51f-a640-4bad-8c10-52d4bb994ee0] request suricata rule metadata
May 17 16:10:15 homehost configd.py[16836]: [51f49706-2a98-4d2e-b153-059d94e77756] request suricata rule metadata
May 17 16:10:16 homehost configd.py[16836]: [bdaaf3bc-f785-40d1-83fd-ea59b8e977e4] request suricata rule metadata
May 17 16:10:50 homehost configd.py[16836]: [5586026c-9b3a-454d-a6b5-080feefd7a32] request suricata rule metadata
May 17 16:10:50 homehost configd.py[16836]: [c5761b53-b036-4b47-9da8-8e1f030558c5] request suricata rule metadata
May 17 16:10:50 homehost configd.py[16836]: [43c5523c-39ff-4dea-9212-2856e4bdd568] get suricata daemon status
May 17 16:10:50 homehost configd.py[16836]: [bfa03c84-a58a-4d8e-bd2d-109230f72e4e] trigger config changed event
May 17 16:10:50 homehost configd.py[16836]: [bee27c63-d4c5-4d71-bbd1-156aa4a75859] generate template OPNsense/IDS
May 17 16:10:51 homehost configd.py[16836]: generate template container OPNsense/IDS
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rules/OPNsense.rules
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/classification.config
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/custom.yaml
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //etc/newsyslog.conf.d/suricata
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //etc/rc.conf.d/suricata
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/reference.config
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-updater.config
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-policies.config
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rules.config
May 17 16:10:52 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/suricata.yaml
May 17 16:10:52 homehost configd.py[16836]: [8653a10b-0f6f-4aca-bbb9-64168e034a21] request suricata rule metadata
May 17 16:12:26 homehost configd.py[16836]: [c5394681-a080-40ab-b0d9-914142f983d4] get suricata daemon status
May 17 16:12:26 homehost configd.py[16836]: [12449fc6-2262-4176-9684-8ad0e4b4e68f] request suricata rule metadata
May 17 16:12:27 homehost configd.py[16836]: [c7af7ec0-9f6f-4733-a9ba-23de866015dc] request suricata rule metadata
May 17 16:12:27 homehost configd.py[16836]: [4871c442-9862-4b83-ac37-0ab9706ed360] get suricata daemon status
May 17 16:12:27 homehost configd.py[16836]: [3029c861-351e-4314-8811-67c6ee80b7bd] trigger config changed event
May 17 16:12:27 homehost configd.py[16836]: [0d47f230-1780-4105-9978-d996e2876dde] generate template OPNsense/IDS
May 17 16:12:27 homehost configd.py[16836]: generate template container OPNsense/IDS
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rules/OPNsense.rules
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/classification.config
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/custom.yaml
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //etc/newsyslog.conf.d/suricata
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //etc/rc.conf.d/suricata
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/reference.config
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-updater.config
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rule-policies.config
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/rules.config
May 17 16:12:29 homehost configd.py[16836]:  OPNsense/IDS generated //usr/local/etc/suricata/suricata.yaml
May 17 16:12:29 homehost configd.py[16836]: [f147ee96-5734-43de-aec1-3e8288450c70] install suricata rules
May 17 16:14:31 homehost configd.py[16836]: [a0df7db3-864a-4925-a678-3bdb8c5e5993] request suricata rule metadata
May 17 16:14:39 homehost configd.py[16836]: [85a64293-5a57-40ec-9f97-11347379ce4f] get suricata daemon status
homehost configd.py[4550]: [eea30bd2-a3c3-4c8c-be0b-90adf871a830] Retrieve upgrade progress status


From the System Log it seems to point to a timeout error
Code Select
2021-05-17T16:14:31 sudo[80583] admin : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat configd.log
2021-05-17T16:14:31 configd[18782] Timeout (120) executing : ids install rules


I've also noticed in dmesg, repeated messages about promiscuous mode enabled/disabled and igb1 but now sure what to make of it.

Code Select

igb0: link state changed to UP
igb1: link state changed to UP
intsmb0: <AMD FCH SMBus Controller> at device 20.0 on pci0
smbus0: <System Management Bus> on intsmb0
lo0: link state changed to UP
aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
amdtemp0: <AMD CPU On-Die Thermal Sensors> on hostb5
igb1: link state changed to DOWN
vlan0: changing name to 'igb1_vlan10'
igb0: link state changed to DOWN
igb1: link state changed to UP
igb1_vlan10: link state changed to UP
igb0: link state changed to UP
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
igb1: permanently promiscuous mode enabled
igb1: link state changed to DOWN
igb1_vlan10: link state changed to DOWN
igb1: link state changed to UP
igb1_vlan10: link state changed to UP
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
igb1: link state changed to DOWN
igb1_vlan10: link state changed to DOWN
igb1: link state changed to UP
igb1_vlan10: link state changed to UP
igb1: link state changed to DOWN
igb1_vlan10: link state changed to DOWN
igb1: link state changed to UP
igb1_vlan10: link state changed to UP
igb1: link state changed to DOWN
igb1_vlan10: link state changed to DOWN
igb1: link state changed to UP
igb1_vlan10: link state changed to UP
January 20, 2023, 09:26:32 PM #1
did you get this fixed?
im getting the same issue
February 26, 2023, 11:14:00 PM #2
same , did you find anything?
March 02, 2023, 08:42:32 PM #3
does not look like anyone knows how to fix this
from logs I see message appear to say rule re load completed so maybe its just a timeout issue
but not had any alerts when running on WAN so not sure its working.
March 03, 2023, 12:01:13 AM #4
It's funny you say this because I am having the exact behavior using WAN. I was having alerts generated initially when I enabled IDS for the first time but after few days and trying to choose between different "hyperscan" and other options, it stopped giving alerts completely. The reason I started looking in the forum is I get absolutely no alerts of any kind of traffic now
Print
Go Up Pages1
User actions