Suricata won't stay on

Danshi

I've been running suricata on pfsense for over a year now. I recently updated suricata and it doesn't stay on.

To troubleshoot, I've:

• Increased the memory in every category at least double or quad in some cases under Flow/Stream
• Uninstalled and reinstalled Suricata (starts for a sec then stops after)
• Enabled JA3 fingerprint option (unrelated error I was getting and this solved that)
• Have rm /var/run/suricata_re0.XXXXXX.pid several times (it starts for a sec then stops after)

The last few lines of error I'm getting out of the suricata.log are:

27/9/2021 -- 22:06:12 - <Info> -- Using 2 live device(s).
27/9/2021 -- 22:06:12 - <Notice> -- re0.77 -- using 1 netmap ring pair
27/9/2021 -- 22:06:12 - <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:re0.77/R failed: Invalid argument

Have posted on Reddit here as others are having the same or similar issues as well: https://www.reddit.com/r/PFSENSE/comments/ps9jqx/comment/hdtfnuc/?utm_source=share&utm_medium=web2x&context=3

Trying to avoid the complete reinstall of pfsense w/ loading config file. I've seen several people do this on other forums to no avail.

SteveITS

What version of pfSense?
What hardware?
Is there anything in the system log when it crashes?
re0 is Realtek... I've seen many a post here over the years complaining about Realtek drivers in FreeBSD.

Danshi

@steveits Another option is to revert to the last version of Suricata but I haven't found a way to do that.

2.5.2-RELEASE (amd64)
FreeBSD 12.2-STABLE

suricata 6.0.3_2

CPU: Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz (3691.53-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0

Sep 27 22:05:38 SuricataStartup 60817 Suricata START for 77(34185_re0.77)...
Sep 27 22:06:12 kernel 372.086030 [1130] generic_netmap_attach Emulated adapter for re0.77 created (prev was NULL)
Sep 27 22:06:12 kernel 372.086044 [1035] generic_netmap_dtor Emulated netmap adapter for re0.77 destroyed
Sep 27 22:06:12 kernel 372.086060 [1130] generic_netmap_attach Emulated adapter for re0.77 created (prev was NULL)
Sep 27 22:06:12 kernel 372.086068 [1035] generic_netmap_dtor Emulated netmap adapter for re0.77 destroyed
Sep 27 22:06:12 kernel 372.086078 [1130] generic_netmap_attach Emulated adapter for re0.77 created (prev was NULL)
Sep 27 22:06:12 kernel 372.086086 [1035] generic_netmap_dtor Emulated netmap adapter for re0.77 destroyed
Sep 27 23:00:00 php 34946 [pfBlockerNG] Starting cron process.
Sep 27 23:00:00 php 34946 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Sep 28 00:00:00 php 78512 [pfBlockerNG] Starting cron process.
Sep 28 00:00:00 php 78512 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Sep 28 00:29:05 SuricataStartup 61447 Suricata START for 77(34185_re0.77)...

Cool_Corona

@danshi Inline or Legacy mode??

Danshi

@cool_corona In line for over a year. Never have done legacy.

bmeeks

The new multi-ring host stack code looks like it is trying to open more than one ring for the netmap pipe using the VLAN ID in the interface name. That's not going to work as that is not a valid netmap device name. You will need to switch to Legacy Mode Blocking for now, or else go to the INTERFACE SETTINGS tab and down in the section where you configure the blocking mode set the Threads parameter to 1 and save the change. Report back here how that works for you.

I'll have to think about how to handle this in the GUI code. Netmap Inline IPS Mode does not really use VLANs anyway because the IDs are not passed by netmap. Will probably either make use of VLANs unsupported in Inline IPS Mode, or else modify the Suricata instance to run on the parent interface only (which is what it actually does anyway, with VLAN interfaces).

Danshi

@bmeeks Putting the thread count to 1 did not work. However, placing it in legacy mode fixed it, however.

I suppose I will just keep trying to re-place it back into in-line mode when new updates come out for suricata and/or pfsense.

Thank you for your help!

bmeeks

@danshi said in Suricata won't stay on:

@bmeeks Putting the thread count to 1 did not work. However, placing it in legacy mode fixed it, however.

I suppose I will just keep trying to re-place it back into in-line mode when new updates come out for suricata and/or pfsense.

Thank you for your help!

I've submitted an update for the GUI package, but it may be a few days (or even more) before it gets merged. I suspect the Netgate team is busy these days readying the pfSense+ 21.09 release.

The fix will automatically run VLAN Suricata interfaces on the VLAN's parent interface.

Danshi

@bmeeks I updated to Suricata 6.0.3_3 and it allowed me to swap back to in-line mode.

bmeeks

@danshi said in Suricata won't stay on:

@bmeeks I updated to Suricata 6.0.3_3 and it allowed me to swap back to in-line mode.

Good deal! Thanks for the feedback. I changed the code so that for VLANs it runs the Suricata instance on the parent interface. That means, though, there is no reason to run a Suricata instance on every VLAN. Run it on just one, and because it will actually monitor the parent, it will see all traffic on the interface (including all of the defined VLANs).

Danshi

@bmeeks I sounded the all clear too early. Pfsense still kept crashing afterwards with in-line mode (took a restart to realize). Swapped both VLANs to legacy again.

I do not understand what you mean about Suricata running on one VLAN. But here is what I'm doing:

I have 4 VLANs, I'm running Suricata on 2 VLANs. So:

• WAN: Nothing
• LAN: Nothing
• VLAN1: Surciata legacy mode
• VLAN2: Suricata legacy mode
• VLAN3: Nothing
• VLAN4: Nothing

bmeeks

@danshi said in Suricata won't stay on:

@bmeeks I sounded the all clear too early. Pfsense still kept crashing afterwards with in-line mode (took a restart to realize). Swapped both VLANs to legacy again.

I do not understand what you mean about Suricata running on one VLAN. But here is what I'm doing:

I have 4 VLANs, I'm running Suricata on 2 VLANs. So:

• WAN: Nothing
• LAN: Nothing
• VLAN1: Surciata legacy mode
• VLAN2: Suricata legacy mode
• VLAN3: Nothing
• VLAN4: Nothing

Don't run Suricata on the VLANs at all. Run it on the parent interface. So what interface are those VLANs defined on? If it's the LAN physical interface, then that's the interface you want to run Suricata on. If OPT1, then run it on OPT1.

Danshi

@bmeeks That suggestion won't work with my use case. Two of those VLANs are my work and IoT VLANs and block and generate too many alerts. I ran into issues not be able to do my job fully as I work from home; I moved it to just my VLANS with my personal devices on it. Therefore I can't run it on the parent.

It has worked before for over a year, something changed with an update for pfsense or suricata as I have not changed any hardware or drivers.

Danshi

@bmeeks Forgot to mention that even having it enabled on 1 VLAN currently with inline mode is causing it to crash. Have to do legacy even with just 1 enabled.

SteveITS

@danshi said in Suricata won't stay on:

I moved it to just my VLANS with my personal devices on it. Therefore I can't run it on the parent

You missed that "[He] changed the code so that for VLANs it runs the Suricata instance on the parent interface."

Run it once on the parent (instead of twice), and add the subnets you don't want scanned to a Pass List. (and assign the pass list to Suricata on the parent, and restart Suricata).

Danshi

@steveits @bmeeks

Okay, didn't know I could do a pass list. Just taught myself via clicking around how to set up an alias, and add those CIDR IP address ranges from those two VLANs I want skipped to suricata.

Thanks so much!