So I was connected via SSH looking at suricata rules when I noticed the wui and webproxystopped responding. I rebooted and later restarted the firewall to no avail.
After restarting I can still ssh into the firewall. Browsing via proxy is not possible, the wui is not reachable. Browsing without proxy works.
Anything I can do?
Edit: So basicly the firewall seems to work, dhcp works, browsing works. Browsing via the proxy does not work.
I’m glad I enabled ssh in the wui before it stopped.
The WUI doesn’t load however and I have no clue what to test or do next.
There are lots of these messages in the log. Don’t know if that as anything to do wit this.
ipfireAppliance suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.elf’ is checked but not set. Checked in 26531 and 39 other sigs
And there are messages like this:
suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can’t have relative keywords around a fast_pattern only content
Mar 17 22:16:40 ipfireAppliance suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download”; flow:to_client,established; content:”-2013.zip|0D 0A|“; fast_pattern:only; content:”-2013.zip|0D 0A|“; http_header; content:”-“; within:1; distance:-14; http_header; file_data; content:”-2013.exe"; content:“-”; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,VirusTotal; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/subscripted-malware-other.rules at line 2943
I cannot find errors that point to not starting WUI or proxy or failures with them.
But then, I dont know exactly what to look for.
Thanks for the reply.
Just removed the interfaces and assigned them again. Network restarted, got no errors afaik. Didn’t help, still no WUI.
I think it is best if I re"install and restore a backup.
I have a (fairly new) mini appliance. I downloaded the latest stable and “dd-ed” that to a USB-stick. Can I just insert that USB in one of the ports and than restart to trigger a fresh install?
(Got it pre-installed, so never had to do this before).
Yes, that’s the way to go. I wonder what happened. Before doing that, make sure you have the backup. Also make sure the firmware boots from the USB first.
Keep the same name.The easiest way to get them out is to plug in an external usb key (it should be mounted automatically under /media/usbkey directory ) and copy those file using the cp command. Something like:
Not too late. The firewall is booting now. Will check
The usb-stick doesn’t mount automatic. But doesn’t matter, the files in /var/ipfire/backup are the same I had on my laptop. (I made a backup when the WUI was still working.
When the setup for the new install started I got a very distorted screen, but I managed to make the right choice. Then I got a complaint about a videomode and the process stopped. Later I could choose video mode “0” but got a blank screen as well. I am using a very old laptop for this (x60) and I think I have to try with my other one.
[root@ipfireAppliance httpd]# cat error_log
[Sun Mar 12 00:01:00.964192 2023] [mpm_event:notice] [pid 6702:tid 133193506959552] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sun Mar 12 00:01:00.964436 2023] [core:notice] [pid 6702:tid 133193506959552] AH00094: Command line: '/usr/sbin/httpd'
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.
and than a lot of " Invalid header" lines.
Than
27012; rev:459; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Threatvi: checksum error at /var/ipfire/ids-functions.pl line 550.
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.
And again " Invalid header" lines.
than:
27012; rev:459; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Threatvi: checksum error at /var/ipfire/ids-functions.pl line 550.
[Fri Mar 17 21:54:53.695434 2023] [mpm_event:notice] [pid 6702:tid 133193506959552] AH00491: caught SIGTERM, shutting down
[Fri Mar 17 21:58:43.710841 2023] [mpm_event:notice] [pid 6750:tid 128086071464128] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Fri Mar 17 21:58:43.712101 2023] [core:notice] [pid 6750:tid 128086071464128] AH00094: Command line: '/usr/sbin/httpd'
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
[Fri Mar 17 22:17:00.760583 2023] [mpm_event:notice] [pid 6738:tid 130057702023360] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Fri Mar 17 22:17:00.762084 2023] [core:notice] [pid 6738:tid 130057702023360] AH00094: Command line: '/usr/sbin/httpd'
[Sat Mar 18 14:31:25.725858 2023] [mpm_event:notice] [pid 6740:tid 132741370392768] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sat Mar 18 14:31:25.727479 2023] [core:notice] [pid 6740:tid 132741370392768] AH00094: Command line: '/usr/sbin/httpd'
[Sat Mar 18 16:01:23.425898 2023] [cgid:error] [pid 6740:tid 132741370392768] AH01239: cgid daemon process died, restarting
[Sat Mar 18 16:01:23.647523 2023] [mpm_event:notice] [pid 6740:tid 132741370392768] AH00491: caught SIGTERM, shutting down
[Sat Mar 18 16:14:04.702288 2023] [mpm_event:notice] [pid 6681:tid 134089352024256] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sat Mar 18 16:14:04.703976 2023] [core:notice] [pid 6681:tid 134089352024256] AH00094: Command line: '/usr/sbin/httpd'
Wait, I thought you had a mini appliance from lightning wire lab (basically an apu2 machine)? If that’s the case you need to connect to the machine with a null modem cable and use a serial emulator program. Is this what you are doing?
Ah, that’s exactly the screen I get.
I did choose to install, will try console options next. Might be a it later this evening, duty calls. Will try to install asap.
The logfiles don’t give much info afaik. They both have a gap in time and seem not to ave logged the event.
Anyway, will try to do a fresh install and report back.
You have been a life-safer so far, thank you very much!