Windows Updates

[elektroinside]

As it turns out, not all dropped packets are logged.
I have modified suricata.yaml to log all of them.

Setting these sids to 'Alert' fixed my Windows Updates issues:

2023818
2020573

@Franco: may i suggest to revise this part of the suricata config? It will avoid a lot of confusions...

[franco]

Hey elektroinside ,

Thanks for the heads-up! This one should do it? :)

https://github.com/opnsense/core/commit/573612d48


Cheers,
Franco

[elektroinside]

I don't know.. yet :)
Hopefully, it's enough, I'll let you know in a few days, probably enough time to generate lots of packets :)

I am seeing some dropped packets right now, don't remember seeing them before, so it might work :)

Thank you Franco!

[dcol]

I also implemented this change
Can't tell if the change does anything since I also saw blocks before the change.
I take it that eve.json is the IDS alerts list.

elektroinside - I figured the updates problems were rules. Glad you found it. I didn't see it because I do not have those rulesets enabled.

[elektroinside]

Figured it had something to do with alerting (the fact that i can't see what is blocked and what is not, from previous experiences with suricata). Also, without this change in the config file, you couldn't see it anyway, even if you had the rule, as it was not logged (dropped silently).

Anyway, it's all good now :-) Thank you both!

[Ciprian]

Hey elektroinside ,

Thanks for the heads-up! This one should do it? :)

https://github.com/opnsense/core/commit/573612d48


Cheers,
Franco

And maybe (rather, surely) from now on it is a lot more easy to find the culprit rule(s) or ruleset(s) crippling any other network service.