suricata (core dumped) after GeoLite2-Country database update
-
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
Oct 13 06:03:38 server suricata[53718]: [100258] <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_ix351141.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_ix351141.pid. Aborting!
And the line above is what happens when the Suricata binary crashes. It will leave a stale PID file in
/var/run/, and the presence of that stale file will prevent Suricata from starting again on that interface until the PID file is deleted.Stop all Suricata interfaces, then check the
/var/run/subdirectory for any Suricata PID files (they will have "suricata" in the filename). Delete all such files and then try starting Suricata again from the GUI tab. -
Surricata seems broken, ram test are inconclusive /or no issues.
Further more, I specifically turned off "auto update" to surricata some time ago but at 6am every few days it's updating on it's own.
Going further, if the (PID) file is telling the system there is an instance running and there isn't then shouldn't that be checked?
I have read that many people with various equipment/hardware have had this issue with surricata and updates to that. They have moved
over to snort because of it. I'd rather not move to snort so i'll look into a script that fires at 6:04 to restart the surricata service.I appreciate your input @bmeeks thank you!
-
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
Further more, I specifically turned off "auto update" to surricata some time ago but at 6am every few days it's updating on it's own.
If it is still auto-updating and you disabled that feature, then possibly you have a second "zombie" Suricata process still running on your system. Those types of zombie processes will not respond to anything you do in the GUI.
To see if that is the case, run the following command from a direct shell prompt on the firewall (obtained either directly on the console or via an SSH connection -- do NOT run the command from the DIAGNOSTICS menu in the GUI):
ps -aux | grep suricataYou should see exactly one running process for each Suricata instance you have configured (that is, one instance per configured Suricata interface). If you see any duplicates, that is going to be your issue. Easiest thing to do at that point is stop all Suricata processes using the GUI icons on the Suricata INTERFACES tab.
Return to your shell session and run the command above once more. Note the PID of any remaining Suricata processes, then run this command to kill them:
kill -9 <pid>Return to the GUI and start your Suricata interfaces again. See if things behave.
-
I will check this asap but had a thought about "zombie" process. wouldn't that cause the /var/log/surricata/ logs to have a (PID) instance for the interface to have multiple files or duplicate data in the interfaces log file? which it doesn't at this time.
-
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
I will check this asap but had a thought about "zombie" process. wouldn't that cause the /var/log/surricata/ logs to have a (PID) instance for the interface to have multiple files or duplicate data in the interfaces log file? which it doesn't at this time.
Not necessarily. The zombie process will likely be trying to use a now non-existent file handle.
I do not have a pfSense Plus test setup, so I can only test using a CE image. I've not seen this previously, but will test again to verify.
Are you actually using GeoIP rules? There are none offered in the stock rules archives provided in the pfSense package. You would need to be writing your own custom GeoIP rules or else using a third-party package via the "Extra Rules" option on the GLOBAL SETTINGS tab. Simply downloading the GeoIP database without having corresponding GeoIP text rules does nothing.
-
@bmeeks said "Are you actually using GeoIP rules?"
Yes, I wrote a set of rules to use with GeoIP
I wanted to capture all inbound activity from Countries not of US origin.drop ip any any -> any any (msg:"GeoIP Country A-Blocked"; flow: to_server; geoip:src,AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ; sid: 9990025; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country B-Blocked"; flow: to_server; geoip:src,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI; sid: 9990026; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country C-Blocked"; flow: to_server; geoip:src,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ; sid: 9990027; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country D-Blocked"; flow: to_server; geoip:src,DK,DJ,DM,DO; sid: 9990028; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country E-Blocked"; flow: to_server; geoip:src,EC,EG,SV,GQ,ER,EE,ET; sid: 9990029; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country F-Blocked"; flow: to_server; geoip:src,FK,FO,FJ,FI,FR,GF,PF,TF; sid: 9990030; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country G-Blocked"; flow: to_server; geoip:src,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY; sid: 9990031; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country H-Blocked"; flow: to_server; geoip:src,HT,HM,VA,HN,HK,HU; sid: 9990032; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country I-Blocked"; flow: to_server; geoip:src,IS,IN,ID,IR,IQ,IE,IM,IL,IT; sid: 9990033; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country J-Blocked"; flow: to_server; geoip:src,JM,JP,JE,JO; sid: 9990034; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country K-Blocked"; flow: to_server; geoip:src,KZ,KE,KI,KP,KR,KW,KG; sid: 9990035; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country L-Blocked"; flow: to_server; geoip:src,LA,LV,LB,LS,LR,LY,LI,LT,LU; sid: 9990036; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country M-Blocked"; flow: to_server; geoip:src,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM; sid: 9990037; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country N-Blocked"; flow: to_server; geoip:src,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO; sid: 9990038; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country O-Blocked"; flow: to_server; geoip:src,OM; sid: 9990039; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country P-Blocked"; flow: to_server; geoip:src,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR; sid: 9990040; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Q-Blocked"; flow: to_server; geoip:src,QA; sid: 9990041; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country R-Blocked"; flow: to_server; geoip:src,RE,RO,RU,RW; sid: 9990042; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country S-Blocked"; flow: to_server; geoip:src,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY; sid: 9990043; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country T-Blocked"; flow: to_server; geoip:src,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV; sid: 9990044; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country U-Blocked"; flow: to_server; geoip:src,UG,GB,UA,AE,UM,UY,UZ; sid: 9990045; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country V-Blocked"; flow: to_server; geoip:src,VU,VE,VN,VG,VI; sid: 9990046; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country W-Blocked"; flow: to_server; geoip:src,WF,EH,YE; sid: 9990047; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Y-Blocked"; flow: to_server; geoip:src,YE; sid: 9990048; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Z-Blocked"; flow: to_server; geoip:src,ZM,ZW; sid: 9990049; rev: 1;) -
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
@bmeeks said "Are you actually using GeoIP rules?"
Yes, I wrote a set of rules to use with GeoIP
I wanted to capture all inbound activity from Countries not of US origin.drop ip any any -> any any (msg:"GeoIP Country A-Blocked"; flow: to_server; geoip:src,AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ; sid: 9990025; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country B-Blocked"; flow: to_server; geoip:src,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI; sid: 9990026; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country C-Blocked"; flow: to_server; geoip:src,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ; sid: 9990027; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country D-Blocked"; flow: to_server; geoip:src,DK,DJ,DM,DO; sid: 9990028; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country E-Blocked"; flow: to_server; geoip:src,EC,EG,SV,GQ,ER,EE,ET; sid: 9990029; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country F-Blocked"; flow: to_server; geoip:src,FK,FO,FJ,FI,FR,GF,PF,TF; sid: 9990030; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country G-Blocked"; flow: to_server; geoip:src,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY; sid: 9990031; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country H-Blocked"; flow: to_server; geoip:src,HT,HM,VA,HN,HK,HU; sid: 9990032; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country I-Blocked"; flow: to_server; geoip:src,IS,IN,ID,IR,IQ,IE,IM,IL,IT; sid: 9990033; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country J-Blocked"; flow: to_server; geoip:src,JM,JP,JE,JO; sid: 9990034; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country K-Blocked"; flow: to_server; geoip:src,KZ,KE,KI,KP,KR,KW,KG; sid: 9990035; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country L-Blocked"; flow: to_server; geoip:src,LA,LV,LB,LS,LR,LY,LI,LT,LU; sid: 9990036; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country M-Blocked"; flow: to_server; geoip:src,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM; sid: 9990037; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country N-Blocked"; flow: to_server; geoip:src,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO; sid: 9990038; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country O-Blocked"; flow: to_server; geoip:src,OM; sid: 9990039; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country P-Blocked"; flow: to_server; geoip:src,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR; sid: 9990040; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Q-Blocked"; flow: to_server; geoip:src,QA; sid: 9990041; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country R-Blocked"; flow: to_server; geoip:src,RE,RO,RU,RW; sid: 9990042; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country S-Blocked"; flow: to_server; geoip:src,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY; sid: 9990043; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country T-Blocked"; flow: to_server; geoip:src,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV; sid: 9990044; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country U-Blocked"; flow: to_server; geoip:src,UG,GB,UA,AE,UM,UY,UZ; sid: 9990045; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country V-Blocked"; flow: to_server; geoip:src,VU,VE,VN,VG,VI; sid: 9990046; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country W-Blocked"; flow: to_server; geoip:src,WF,EH,YE; sid: 9990047; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Y-Blocked"; flow: to_server; geoip:src,YE; sid: 9990048; rev: 1;)
drop ip any any -> any any (msg:"GeoIP Country Z-Blocked"; flow: to_server; geoip:src,ZM,ZW; sid: 9990049; rev: 1;)Okay. Just checking because I've encountered some confusion among users in the past, mostly with the Snort OpenAppID rules but also with GeoIP in Suricata.
-
I just enabled the GeoIP Database update option in a Suricata 6.0.13 install on a test virtual machine. Here are the system log entries (in reverse order, most recent entry listed first):
Oct 17 12:06:02 php-fpm 380 /suricata/suricata_global.php: Configuration Change: admin@192.168.233.1 (Local Database): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_geoipupdate.php Oct 17 12:06:02 php-fpm 380 [Suricata] Cleaning up temp files after GeoLite2-Country database update. Oct 17 12:06:02 php-fpm 380 [Suricata] GeoLite2-Country database update completed. Oct 17 12:06:02 php-fpm 380 [Suricata] Moving new database to /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb... Oct 17 12:06:02 php-fpm 380 [Suricata] Extracting new GeoLite2-Country database from the archive... Oct 17 12:06:02 php-fpm 380 [Suricata] New GeoLite2-Country IP database gzip archive successfully downloaded. Oct 17 12:06:02 php-fpm 380 [Suricata] Downloading new GeoLite2-Country IP database... Oct 17 12:06:02 php-fpm 380 [Suricata] A new GeoLite2-Country IP database is available. Oct 17 12:06:01 php-fpm 380 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... Oct 17 12:06:01 check_reload_status 409 Syncing firewall Oct 17 12:06:01 php-fpm 380 /suricata/suricata_global.php: Configuration Change: admin@192.168.233.1 (Local Database): Suricata pkg: modified global settings.You can see in the bottom entry above where I enabled the GeoIP database download. Then next up (reading from bottom of log snippet above) you can see pfSense connecting to MaxMind and pulling down the latest database. It then set up the cron task to perform the daily update check.
I'm going to let the test VM run a bit to see how things shake out.
-
feel free to use those rules I posted.. they've helped me in collecting data on world wide scanners, bots and malicious actors.
august thru september I had nearly 24,000 ip's, most of them compared with virustotal data points higher than a rating of 5.I do hope your VM will allow you to see if the surricata issue is prevalent there and I'm not missing something here.
-
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
feel free to use those rules I posted.. they've helped me in collecting data on world wide scanners, bots and malicious actors.
august thru september I had nearly 24,000 ip's, most of them compared with virustotal data points higher than a rating of 5.I do hope your VM will allow you to see if the surricata issue is prevalent there and I'm not missing something here.
I copied all of your rules into my test VM. I have it set for Legacy Mode Blocking with the "Block on DROPs Only" option checked. I can try Inline IPS Mode later, but I can't really see how the blocking mode would have any impact on the issue with updating the rules.
-
Following up with the results of my "more than 24-hour" test.
I could not reproduce a crash in my test system. I saw the rules all update themselves overnight (per the logs) and both Suricata instances in the virtual machine were still running normally when I checked them today.
This was tested with Suricata 6.0.13 on pfSense CE 2.7.0 using a VMware Workstation virtual machine.
The default update interval for the GeoLite2-Country database is once per month on the 8th day of the month. That is not user-configurable unless you manually edit the pfSense cron tasks in
config.xml, and that's not recommended. I used that update interval based on data at the time from MaxMind advising the GeoLite2 free database only updates once per month. I forget now the day of the month, but it was a day or two before my choice of the 8th day. -
I think this is the issue and am waiting for results:
I had "Live Swap" enabled
Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update.
-
@Euman said in suricata (core dumped) after GeoLite2-Country database update:
I think this is the issue and am waiting for results:
I had "Live Swap" enabled
Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update.
While everything is possible, I'm not sure how this setting would contribute to a Signal 10 Bus Error. Maybe there is an outside change the extra RAM use when this feature is enabled causes the use of a particularly problematic physical chip address ???
