|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Suricata stops running
Problem :
Suricata starts, and works. But in a few minutes crash/stop working. I have tried Suricata on my openbsd laptop openbsd 7.1 it runs for days no problem, and works. Solution tryed : a) As in pkg_readme b) Remove -D c )Trying configuration from laptop on 7.1 on my 7.0 firewall. Edited to correct firewall em0 interface(same problem ) History : Firekeep (Firewall ) openbsd 7.0 Output from top : Code:
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 54322 _suricat 10 0 593M 591M sleep/1 nanoslp 1:01 3.22% suricata Code:
Firekeep# cat /var/run/rc.d/suricata daemon_class=daemon daemon_flags=-i em0 daemon_logger= daemon_rtable=0 daemon_timeout=30 daemon_user=root pexp=/usr/local/bin/suricata -D -i em0 Code:
Firekeep# rcctl start suricata suricata(timeout) Firekeep# rcctl check suricata suricata(ok) Firekeep# top Firekeep# rcctl check suricata suricata(failed) Firekeep# Code:
cat /var/run/rc.d/suricata daemon_class=daemon daemon_flags=-i iwm0 daemon_logger= daemon_rtable=0 daemon_timeout=30 daemon_user=root pexp=/usr/local/bin/suricata -D -i iwm0 rc_reload_signal=HUP rc_stop_signal=TERM Code:
cat /etc/rc.d/suricata #!/bin/ksh daemon="/usr/local/bin/suricata -D" . /etc/rc.d/rc.subr rc_pre() { /usr/bin/install -d -o _suricata -g _suricata -m 0750 /var/run/suricata } rc_cmd $1 Last edited by psypro; 17th April 2022 at 10:43 AM. |
|
|||
I gave up OpenBSD 7.0
Everything worked with OpenBSD 7.1. Just following instructions from pkg_readme did the trick. in 7.1 |
|
|||
In the 1000 of ip that pass trough the firewall, Suricata in just a few second gave me reason to look into what this is.. someone sneaking past my local dns, or some malware ?
Code:
04/17/2022-18:55:03.365699 [**] [1:2028380:2] ET JA3 Hash - Possible Malware - Neutrino [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.30:45262 -> 34.247.141.30:443 04/17/2022-18:55:04.085811 [**] [1:2028380:2] ET JA3 Hash - Possible Malware - Neutrino [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.30:34750 -> 3.248.141.252:443 04/17/2022-18:55:13.228591 [**] [1:2028380:2] ET JA3 Hash - Possible Malware - Neutrino [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.30:45274 -> 34.247.141.30:443 04/17/2022-18:55:16.268874 [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.42:35457 -> 45.57.16.141:443 04/17/2022-18:55:32.558398 [**] [1:2028380:2] ET JA3 Hash - Possible Malware - Neutrino [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.30:35356 -> 54.74.94.149:443 |
|
||||
Quote:
For example, here's the first log entry: Code:
04/17/2022-18:55:03.365699 [**] [1:2028380:2] ET JA3 Hash - Possible Malware - Neutrino [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.30:45262 -> 34.247.141.30:443
This is a review YOU must conduct, so that YOU can determine if further research is needed or not for YOUR network. Otherwise, why are you bothering to run IDS software at all? |
|
|||
Thank you
Yes, it is a learning opportunity and I have learned from your prime analysis. I basically use finished firewall from ISP or opnsense. But during the holidays I tried to put together an OpenBSD firewall. So finally! have I got NAT, pf, and now also suricata. Have tried for several years to get suricata to run, so I am very very happy that suricata runs straight out of the box on snapshots for 7.1 (with a few changes as stated in pkg readme) |
|
||||
You should notice that I did not classify the record I suggested you examine as "safe" nor did I classify the report as a "false-positive" report. This could certainly be safe traffic, or it could be unsafe traffic.
Anything can be sent to TCP port number 443. Not just HTTPS traffic. Zombie/'bot command-and-control traffic is often masked to have an appearance like ordinary, normal traffic. Your responsibility, as Lord and Master of your own network, is to learn whether or not this report was a false-positive. And, if it was a false-positive, why it was a false-positive and flagged for your review. Last edited by jggimi; 17th April 2022 at 06:06 PM. Reason: clarity |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD VM running OpenVPN keeps running out of entropy (viornd driver) | discostew | OpenBSD Packages and Ports | 6 | 4th June 2021 09:58 PM |
Openbsd NAT router + pf + suricata | psypro | OpenBSD Security | 15 | 28th April 2021 02:32 PM |
4.8 -> 4.9 and internet access stops | thefronny | OpenBSD Security | 4 | 14th August 2011 11:47 AM |
Build stops in meta-pkgs/kde3 | Mr-Biscuit | NetBSD Package System (pkgsrc) | 1 | 26th October 2009 01:18 PM |
Apache Randomly Stops Working | plexter | OpenBSD Packages and Ports | 21 | 4th May 2009 04:41 PM |