Opnsense reporting only "Unknown Behavior" in console Remediation Metrics
I'm trying to understand why my cs-firewall bouncer on my opnsense is not reporting correctly to the console. When I look at the detail of "Unknown Behavior" I can see "Attacker's intent cannot be detected with your remediation component (bouncer) configuration." but I've found pretty much nothing in the docs regarding this kind of problem, I see a lot of prevented attacks but it looks like the classification or category data of why it's been blocked doesn't work. Does someone have any idea where I should look ? My bouncer config looks good as far as I can tell..
Thanks!
19 Replies
I will check with the team, but the fix was in the latest binaries of CrowdSec and the firewall remeidation, issue is we are waiting for opnsense to update their packages
Awesome, thanks for the quick reply, I though it was a config on my side!
Does anyone know how often opnsense updates their plugins?
monthly afaik
@Willpower Just got an update on opnsense, cannot try it right now because a reboot is required. Maybe this version will fix the unknown behavior in the console! https://github.com/opnsense/plugins/commit/90c0b228b892cb4b3628c087281ca5fadc5e5fc0
I saw this yesterday and it didn’t fix it :/
Damn, @iiamloz do you have any suggestion on what I can check to see where this is coming from? Is it a wide spread problem or only specific users have it?
I saw there was another crowdsec plugin update but it didn’t seem to resolve it either :/
what about for you @Arsenick ?
So the firewall remediation that everyone had was causing malformed metrics, the update should have resolved this version
0.31 or higher
can you check the package version is at least this?os-crowdsec is 1.0.10
crowdsec-firewall-bouncer is 0.0.32_2
crowdsec is 1.6.8_2
And what is exactly are you seeing and where?
Discord notifications are correct and showing the correct data. When viewing alerts on the site they show the correct scenario but the Remediation Metrics on the website all show unknown behavior when looking at the graph at app.crowdsec.net/remediation-metrics. this seems to happen for any detections that happen on the opnsense firewall. For detections that happen on the nginx bouncer, those show the correct attack type in the remediation metrics tab
ahh okay, most likely it because PF and dont think there was much options to get this data from it, I can ping the team but I missed this in the first response
Gotcha. Thanks for looking into it! It’s also worth noting I’m not running the lapi on opnsense. Lapi is running on a different machine on docker
yeah it wouldnt matter about the LAPI it simply that the remediation cant really interact with PF to get those data points.
I'm updating it right miaw, should be able to confirm soon
I still have only "Unknown Behavior" reported in the console but I got a lot more prevented attack showed there since the update so I guess it fixed something 😛
FYI still only have unknown behavior reported, @Loz if I understand correctly, this is a limitation of pf and won't be fixed ?