@bitslammer said in pfSense Suricata Crashes on Malformed Block List Entry:

@bmeeks I'm guessing the rules that I enabled have grown over time so I'll try to trim them. Oddly this doesn't happen every time which you'd kind of expect. It's a Netgate 3100 so it looks like I need to look at some other options since this isn't upgradeable. Thanks for the quick reply adn happy holidays.

Several memory parameters have new increased minimums in Suricata 7.x. You are probably seeing the impact of those on the SG-3100. Same issue exists for SG-1100 users, too. 4GB is the new minimum, and even that might get cramped with lots of rules (more than 15,000).

If I were spec'ing a box today for someone who wanted to run IDS/IPS (and most folks want to run pfBlockerNG with DNSBL, too), then I would set 8 GB as a new minimum RAM requirement. The new default ZFS install will also chew up much more RAM than the old UFS setup.

Edit: also looking once again at your log snippet post, I see it seemed to be updating the rules as I see a "rule reload" message. RAM usage will increase during rule swaps, especially if "live rule swap" is enabled.

@gwaitsi I don’t think we ever tried it. Our LAGG was to abstract the interfaces to facilitate HA replacement but that’s no longer a thing…HA can have different hardware now. So no more LAGG.

When we tried inline many years ago we found it broke Remote Desktop over time, no idea why. At the time one NIC was Realtek which isn’t ideal. But, haven’t been in a situation to experiment much again.

@SteveITS

re: scanning on both interfaces...

well, i suppose if i can limit it then the firewall on the windows box that it's port-forwarding to would take care of it.. but in a perfect world i would prefer to have suricata scanning the one port on my wan that i have open.

i've thought about putting that box on it's own vlan, i believe i can do that. i'm just not advanced/savvy enough to where i can whittle it all down to what's needed and what isn't

@feins said in Snort intermittent Crash and snort Deamon stopped.:

@bmeeks

I never create any rules myself all the rules are from the Snort Lan Categories.
The only thing i did is to disable the rules from alerts that cause my application been block only.

Here the rules from the syntax 12558.

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.is-a-teacher .com Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|is-a-teacher|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,help.dyn.com/list-of-dyn-dns-pro-remote-access-domain-names/; classtype:bad-unknown; sid:2042426; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)

I'm working on a Suricata issue at the moment, so give me a little time to reconfigure my test VM for Snort and I will test this rule. It appears to be coming from the ET-INFO category. Looking over it, I don't see any problem with the syntax.

@bmeeks said in Starting suricata, failing netmap, on "oversized" HW (multiple processors/cores + RAM):

I suspect a reboot will be required

Yeah I thought so too, since it's still just in test mode, it's often restarted without consequence...

@bmeeks
Thanks! I had 100M /tmp tmpfs and run exactly into this issue.
After increasing /tmp to 400M it worked!

Here we go again, with three different IP's all showing up as Alerts in the Alerts tab (as they should)

0cfb3856-c273-4460-8cd9-e0aed9c006d8-image.png

But also showing up in the Blocked IPs tab (which they shouldn't):

e9a8579e-9524-445e-a39a-7f14a3e4ec80-image.png

After a Halt of the router for few minutes and a restart Snort interface en/disable seems to work again.
A reboot earlier did not help t o fix the problem.
A poweroff for a few minutes did.

@Maltz hmmm, I will try that and monitor.

@bmeeks
I see that there is an update out now. I just install it a few minutes ago. So will update if I run into that same issue again.

Yes, that snort.core file can safely be deleted. That is a memory dump produced by a crash (looks like back on December 7th).

@michmoor

Thank you for the reply. So now I need to experiment with the rule-sets so see why my PfSense box does not block the same sites as the Z4.........

@bmeeks said in SID Mgmt change drop to block (white listing instead of blacklisting):

Yes, it's a bit of typing or copy-paste, but that's part of the drudgery of what an IDS/IPS admin does. Once done, it's done.

And that's what I ended up doing, listing all the 50+ ET rules lists, except the three I wanted to keep as Alert only. Which, in order to keep track of what I did, I commented out and kept in the file.

But once done, it's done isn't really true is it? Things change, and you constantly need to adjust, typically by disabling or suppressing rules that are false positives. Mostly individual rules, but it could possibly be an entire list.

I think all changes I have ended up making are in the direction from Drop to Alert. Not the other way around... Starting out from some reasonable level based on e.g. Snort Policy (where I use Balanced) and some ideas about what other rules lists to disable or keep as Alert.

And this is part of what is so good with the lists, also the suppress list, in that they are so simple to read, and can easily be copied over to other tools like excel. They give you a good overview of what it is you have done.

And then we have usability aspect, and being practical or efficient. It's either:
emerging-3coresec.rules
emerging-activex.rules
emerging-adware_pup.rules
... and so on for each list ...

Or simply writing.
emerging

And then all the emerging threats rules are affected, and changed to Drop for example.

Then the next simple step would be to have a few of them reverted back to Alert, by creating a list for that, as suggested.

Remember, blocking applications at the network level might have unintended consequences, and false positives are possible. Make sure to thoroughly test and monitor your network after implementing these rules. Additionally, keep in mind that determined users can find ways to bypass such restrictions. Consider implementing a comprehensive security strategy that includes education, user policies, and other layers of security to address different aspects of network security.

@ajohnson353 said in Suricata interfaces halting in legacy mode:

Hello! I am also seeing Suricata crash after updating to CE 2.7.1. Last error before the crash is "[167966 - W#06] 2023-11-29 22:44:22 Error: spm-hs: Hyperscan returned fatal error -1." Restarting only brings it back for a few minutes.

That issue is being discussed in this thread: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem. Please post comments or questions over there to keep the discussion in a single thread.

@bmeeks Thanks for sharing.

I worked in IT for 15 combined years, even held some government clearences at one time a DOJ, SSA, and TNET. The amount of 16 hour shifts I did early on in my life limited many core social friendships. I quit once the company I worked for would not give me a regular schedule when my kid started Kindergarten. I just assumed I would get one after the many years. So I put my three weeks in. It was sad after 13 years there and many 16s, even 10 years without a holiday, the last thing I was told by the new manager... get Jon the @#@# out of here, take him home. No goodbyes, no card, after they even deleted half a week off my last check. Very toxic work environment. I went back to school even in my old age, I was able to share spread knowledge with a younger generation. All the scary situations I was in, it was just sad.

Anyway looking forward I can't wait to learn C soon.

@michmoor I bet Bill will do it once he wants a good puzzle. Maybe if we donate $50.00...