Installation Restoration to different machine

1

Got my new PC done for IPFire and wanted to move the old installation to the new PC. I thought it will be the easiest solution to create a backup ISO and install it onto the new machine. Did that and the setup worked fine, but afterwards I still have and encountered several troubles:

I did several restarts of the PC with no effect.

1. DHCP + Proxy Server

After I’ve reassigned the interfaces to their networks there were no error messages anymore but the services didn’t work - this has been done to get it working again:

  1. uncheck the checkboxes / deactivate the services in webui + save+restart service
  2. check the checkboxes / activate the services in webui again + save+restart service

2. cachemanager

checkbox was unchecked (earlier it was checked)

3. "Uhrzeit dem lokalen Netzwerk zur Verfügung stellen"

was unchecked (earlier it was checked)

4. geoip list

is empty but was configured before

5. system protokoll option

“latest” is missing (there is just “older” and “newer” but not lastest to get to the last page)

6. Unbound

I’m getting lots of info log entries I haven’t got before. Here is an extract after the last restart:

|10:37:34|unbound: [12891:0]|info: service stopped (unbound 1.9.5).|
|---|---|---|
|10:37:34|unbound: [12891:0]|info: server stats for thread 0: 61 queries, 24 answers from cache, 37 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 0: requestlist max 1 avg 0.0810811 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.051813 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.009216 median[50%]=0.0418702 [75%]=0.0835584|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 9|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 2|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 5|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 9|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 10|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: 0.262144 0.524288 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 1: 46 queries, 13 answers from cache, 33 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 1: requestlist max 1 avg 0.0909091 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 1.206269 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.0239909 median[50%]=0.049152 [75%]=0.106496|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 4|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 7|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 9|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 6|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: 0.262144 0.524288 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 1|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 2: 36 queries, 20 answers from cache, 16 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 2: requestlist max 2 avg 0.6875 exceeded 0 jostle d 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 6.676204 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=1e-06 median[50%]=4 [75%]=16|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 4|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 3|
|10:37:34|unbound: [12891:0]|info: 2.000000 4.000000 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 3|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 3: 26 queries, 15 answers from cache, 11 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 3: requestlist max 2 avg 0.454545 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 3.665904 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=9.16667e-07 median[50%]=0.0600747 [75%]=0.16384|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 3|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 4: 25 queries, 16 answers from cache, 9 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 4: requestlist max 1 avg 0.111111 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.039016 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=4.5e-07 median[50%]=9e-07 [75%]=0.057344|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 1|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 1|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 5: 26 queries, 16 answers from cache, 10 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 5: requestlist max 1 avg 0.1 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.012444 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=3.57143e-07 median[50%]=7.14286e-07 [75%]=0.024576|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 7|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 6: 23 queries, 20 answers from cache, 3 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 6: requestlist max 0 avg 0 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.000000 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0 median[50%]=0 [75%]=0|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: server stats for thread 7: 21 queries, 14 answers from cache, 7 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 7: requestlist max 1 avg 0.142857 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.048243 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=5.83333e-07 median[50%]=0.012288 [75%]=0.147456|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 8: 40 queries, 26 answers from cache, 14 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 8: requestlist max 0 avg 0 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.019508 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=5e-07 median[50%]=1e-06 [75%]=0.03072|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 7|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 4|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 9: 24 queries, 14 answers from cache, 10 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 9: requestlist max 1 avg 0.6 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 8.511465 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.012288 median[50%]=0.131072 [75%]=22|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 2|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 10: 30 queries, 15 answers from cache, 15 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 10: requestlist max 1 avg 0.266667 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 5.682560 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=7.5e-07 median[50%]=0.057344 [75%]=17|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 11: 33 queries, 18 answers from cache, 15 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 11: requestlist max 1 avg 0.2 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.562806 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=7.5e-07 median[50%]=0.0300373 [75%]=0.147456|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 3|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 3|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: 1.000000 2.000000 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 1|
|10:38:54|unbound: [2007:0]|notice: init module 0: validator|
|10:38:54|unbound: [2007:0]|notice: init module 1: iterator|
|10:38:54|unbound: [2007:0]|info: start of service (unbound 1.9.5).|
|10:42:51|unbound: [2007:5]|info: generate keytag query _ta-4a5c-4f66. NULL IN|

7. IPS

Haven’t had that error log entries before. Here is an extract after the last restart:

|10:42:52|suricata: |This is Suricata version 4.1.5 RELEASE|
|---|---|---|
|10:42:52|suricata: |[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active|
|10:42:52|suricata: |all 12 packet processing threads, 2 management threads initialized, engine start ed.|
|10:42:52|suricata: |rule reload starting|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock v ariant outbound connection"; flow:to_server,established; dsize:267<>276; content :"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{ 158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c4 9f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classt ype:trojan-activity; sid:25675; rev:7;)" from file /var/lib/suricata/community.r ules at line 2544|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client, established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0 D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data ; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ 2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; clas stype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community .rules at line 2594|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encryp ted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg" ; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a -z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, serv ice http; classtype:trojan-activity; sid:26722; rev:1;)" from file /var/lib/suri cata/community.rules at line 2631|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN varia nt outbound connection"; flow:to_server,established; dsize:142; urilen:8; conten t:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; meta data:impact_flag red, policy balanced-ips drop, policy security-ips drop, rulese t community, service http; reference:url,www.microsoft.com/security/portal/threa t/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.viru stotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0 f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /var/lib /suricata/community.rules at line 2684|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant ou tbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GE T / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-c ache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced -ips drop, policy security-ips drop, ruleset community, service http; reference: url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:tro jan-activity; sid:28542; rev:1;)" from file /var/lib/suricata/community.rules at line 2819|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant ou tbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GE T / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips dr op, policy security-ips drop, ruleset community, service http; reference:url,www .sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-act ivity; sid:28543; rev:1;)" from file /var/lib/suricata/community.rules at line 2 820|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector va riant outbound connection"; flow:to_server,established; urilen:9; content:"/load .exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MS IE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content :!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, pol icy security-ips drop, ruleset community, service http; reference:url,urlquery.n et/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22 &max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899 dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28 807; rev:2;)" from file /var/lib/suricata/community.rules at line 2835|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:" GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0 A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop , policy security-ips drop, ruleset community, service http; reference:url,www.v irustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1 be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /var/ lib/suricata/community.rules at line 2911|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos vari ant outbound connection"; flow:to_server,established; content:"Content-Length: 1 66"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x- www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7. 0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth: 2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$ /P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips dro p, ruleset community, service http; reference:url,www.virustotal.com/en/file/515 40d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtyp e:trojan-activity; sid:29895; rev:2;)" from file /var/lib/suricata/community.rul es at line 2915|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HT TP Response attempt"; flow:to_client,established; file_data; dsize:<194; content :"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Tra nsfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced -ips drop, policy security-ips drop, ruleset community, service http; reference: url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e 32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from f ile /var/lib/suricata/community.rules at line 3109|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HT TP Response attempt"; flow:to_client,established; file_data; dsize:<194; content :"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-En coding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips dro p, policy security-ips drop, ruleset community, service http; reference:url,www. virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536 b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /var /lib/suricata/community.rules at line 3110|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content: "GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windo ws NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_fla g red, policy balanced-ips drop, policy security-ips drop, ruleset community, se rvice http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd40 6cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-act ivity; sid:33227; rev:2;)" from file /var/lib/suricata/community.rules at line 3 180|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen: 1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6. 0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B | .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Ca che-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red , policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6 0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449 ; rev:1;)" from file /var/lib/suricata/community.rules at line 3185|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogg er initial exfiltration attempt"; flow:to_server,established; content:"/gate.php "; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin=" ; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http _client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&a rc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_he ader; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red , policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mit re.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa 8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classty pe:trojan-activity; sid:38562;|
|10:42:52|suricata: |[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,0,1,relative,l ittle,bitmask 0x8000|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module lo ad code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree. connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,= ,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; cont ent:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced -ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communi ty, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sa mba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)" f rom file /var/lib/suricata/community.rules at line 3522|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db? "; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_ur i; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-re search/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash -update; classtype:trojan-activity; sid:45400; rev:1;)" from file /var/lib/suric ata/community.rules at line 3584|
|10:42:52|suricata: |[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,1,1,relative,l ittle,bitmask 0x8000|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module lo ad code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree. connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,= ,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; cont ent:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced -ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communi ty, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sa mba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)" f rom file /var/lib/suricata/community.rules at line 3861|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gatew ay arbitrary code execution attempt"; flow:to_server,established; content:"/vpns /"; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; with in:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-i ps drop, policy max-detect-ips drop, policy security-ips drop, ruleset community , service http; reference:cve,2019-19781; reference:url,support.citrix.com/artic le/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)" from file /v ar/lib/suricata/community.rules at line 3927|
|10:42:54|suricata: |rule reload complete|
|10:42:54|suricata: |Signature(s) loaded, Detect thread(s) activated.|

8. IPTables

Also I’m getting iptabel errors on startup for all my custom rules. Can’t find any log for that in the webui!

grafik
grafik1920×1440 996 KB

9. DNSSEC

“DNSSEC wurde deaktiviert” wasn’t before.

grafik
grafik1920×1440 674 KB

grafik
grafik1204×185 8.34 KB

10. Setup menu missing strings

grafik
grafik1920×1440 503 KB

All in all much worse than expected :roll_eyes: and it looks like it’s not an good idea to do what just I did.

2

11. NTPD

Looks like it’s not working anymore as well:

|10:43:09|ntpd[3335]: |ntpd 4.2.8p13@1.3847-o Sat Dec 14 09:26:31 UTC 2019 (1): Starting|
|---|---|---|
|10:43:09|ntpd[3335]: |Command line: /usr/bin/ntpd -Ap /var/run/ntpd.pid|
|10:43:09|ntpd[3337]: |proto: precision = 0.261 usec (-22)|
|10:43:09|ntpd[3337]: |basedate set to 2019-12-02|
|10:43:09|ntpd[3337]: |gps base set to 2019-12-08 (week 2083)|
|10:43:09|ntpd[3337]: |Listen and drop on 0 v6wildcard [::]:123|
|10:43:09|ntpd[3337]: |Listen and drop on 1 v4wildcard 0.0.0.0:123|
|10:43:09|ntpd[3337]: |Listen normally on 2 lo 127.0.0.1:123|
|10:43:09|ntpd[3337]: |Listen normally on 3 red0 192.168.0.100:123|
|10:43:09|ntpd[3337]: |Listen normally on 4 blue0 172.25.0.254:123|
|10:43:09|ntpd[3337]: |Listen normally on 5 green0 172.24.0.254:123|
|10:43:09|ntpd[3337]: |Listening on routing socket on fd #22 for interface updates|
|10:43:09|ntpd[3337]: |kernel reports TIME_ERROR: 0x41: Clock Unsynchronized|
|10:43:09|ntpd[3337]: |kernel reports TIME_ERROR: 0x41: Clock Unsynchronized|
|10:48:30|ntpd[3337]: |kernel reports TIME_ERROR: 0x41: Clock Unsynchronized|
3

Hi Terry,

that sounds bad… :slightly_frowning_face:
Just to clarify, do you have also created a backup of your config files - with/without logfiles?

4

Not yet, but I still have the original SSD untouched. But the PC configuration of that installation is already gone so I may only boot the original SSD from anyother PC.

5

Okay - thats quite good :smile:

If I understand it correctly, do you have changed some pieces of hardware/the entire system?
Are you planning to move completely to another system or is it just for a couple of time until you have the hardware?

6

It’s a totally new PC. The old PC has been disambled that I can sell the components. I didn’t want to use the old ssd anymore since I have a unused small Crucial M4 32GB mSATA. I also could just copy the ssd because the old one is larger (40GB).

7

Okay, these are the results which i figured out from the Backup Wiki Page.

First of all - eventually thats a possible cause of the errors. Do you can verify the password and IP option?

ipfire-wiki-restore
ipfire-wiki-restore803×248 28.5 KB

And the second one - im not completely sure but i think thats exactly the cause of the errors:

ipfire-wiki-isobackup2
ipfire-wiki-isobackup2793×263 36.8 KB

If i understand it aright - the ISO Backup option was designed if a single hardware failure is present and not designed for replacing the entire system. I dont know exactly but i can imagine that in the ISO File are drivers and other stuff present and try to load them but cannot find it. Do you have a other networkmanufacturer etc… ? These option is not correct clearified for me - it is the sentence "…in order to install the complete system again including your settings… is struggle me.
In other words: in my opinion it is the only solution to solve this problem clear is to mount the ISO, grab the config files, make a fresh new installation of the system and at last point import the backup again.

1 Like
8

Oops but I did that :sweat_smile:.

That’s actually teh case. It still tried to load some Realtek NIC stuff that’s not there anymore (no Realtek NIC present).

Yep I will do that tomorrow and try it again. Looks like I was to reckless and thought it makes no difference to install a full backup installation instead of doing a fresh install and restore the backup.

9

I just insert the ortiginal SSD and also see the iptable error messages at boot :roll_eyes:

10

I died a clean install and restored my configuration manually by just using the webui. The errors still exists so it’s not related to the backup.