Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked
« previous
next »
Print
Pages: [
1
]
Author
Topic: Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked (Read 148 times)
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked
«
on:
November 22, 2024, 08:55:49 am »
Dear OPNSense community,
we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs
Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)
We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.
Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.
All the services are green.
I cannot explain what is happen, but for a Business license, I think this version has a bug!
I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!
example:
__timestamp__ 2024-11-22T08:31:43
ack 3809070810
action [block]
anchorname
datalen 0
dir [in]
dst XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport 48012
ecn
id 4409
interface bridge0
interface_name BRG
ipflags DF
ipversion 4
label Default deny / state violation rule
length 52
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq
src XX.X.XXX.XXX (Nextcloud)
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 64
urp 506
The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7
Could please help me
Thank you in advance!
Regards,
Joel.
Logged
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked
«
Reply #1 on:
November 22, 2024, 10:26:32 am »
Dear OPNSense community,
I've found that as the disk where full. The OPNsense wasn't really available anymore for the rest of the network. I've received some E-mail alerts that to processor of the appliance overloaded. The appliance was bought this year it's a Deciso 3842 AMD EPYC 8GB 256GB M.2.
The communication between our cluster and backup NAS were broken. Problems cascaded from one to the next.
I think something wrong is happened after the upgrade on the version 24.10_7 suricata is indeed integrated in OPNsense. I've deleted the old log, but we still have a problem with the IDS - a flooding of the following information.
bridge0^: error reading netmap data via polling: No buffer space available
Now it could be really interesting to know why this have change between the version of the OPNsense system.
Regards,
Joel.
Ps: I've already setup the log for the IDS to get really smaller but it's not the solution.
Logged
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked
«
Reply #2 on:
November 22, 2024, 10:57:34 am »
Update:
In the Intrusion Detection I have to choose the WAN interface even I've use only a bridge.
Is this a bug or a design problem?
Now the log has gone silent.
Someone can explain me? and I repeat there was nothing like that before the upgrade.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked