Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suricata (core dumped) after GeoLite2-Country database update

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks @Euman
      last edited by

      @Euman said in suricata (core dumped) after GeoLite2-Country database update:

      Further more, I specifically turned off "auto update" to surricata some time ago but at 6am every few days it's updating on it's own.

      If it is still auto-updating and you disabled that feature, then possibly you have a second "zombie" Suricata process still running on your system. Those types of zombie processes will not respond to anything you do in the GUI.

      To see if that is the case, run the following command from a direct shell prompt on the firewall (obtained either directly on the console or via an SSH connection -- do NOT run the command from the DIAGNOSTICS menu in the GUI):

      ps -aux | grep suricata
      

      You should see exactly one running process for each Suricata instance you have configured (that is, one instance per configured Suricata interface). If you see any duplicates, that is going to be your issue. Easiest thing to do at that point is stop all Suricata processes using the GUI icons on the Suricata INTERFACES tab.

      Return to your shell session and run the command above once more. Note the PID of any remaining Suricata processes, then run this command to kill them:

      kill -9 <pid>
      

      Return to the GUI and start your Suricata interfaces again. See if things behave.

      1 Reply Last reply Reply Quote 0
      • E
        Euman
        last edited by Euman

        I will check this asap but had a thought about "zombie" process. wouldn't that cause the /var/log/surricata/ logs to have a (PID) instance for the interface to have multiple files or duplicate data in the interfaces log file? which it doesn't at this time.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @Euman
          last edited by bmeeks

          @Euman said in suricata (core dumped) after GeoLite2-Country database update:

          I will check this asap but had a thought about "zombie" process. wouldn't that cause the /var/log/surricata/ logs to have a (PID) instance for the interface to have multiple files or duplicate data in the interfaces log file? which it doesn't at this time.

          Not necessarily. The zombie process will likely be trying to use a now non-existent file handle.

          I do not have a pfSense Plus test setup, so I can only test using a CE image. I've not seen this previously, but will test again to verify.

          Are you actually using GeoIP rules? There are none offered in the stock rules archives provided in the pfSense package. You would need to be writing your own custom GeoIP rules or else using a third-party package via the "Extra Rules" option on the GLOBAL SETTINGS tab. Simply downloading the GeoIP database without having corresponding GeoIP text rules does nothing.

          1 Reply Last reply Reply Quote 0
          • E
            Euman
            last edited by

            @bmeeks said "Are you actually using GeoIP rules?"

            Yes, I wrote a set of rules to use with GeoIP
            I wanted to capture all inbound activity from Countries not of US origin.

            drop ip any any -> any any (msg:"GeoIP Country A-Blocked"; flow: to_server; geoip:src,AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ; sid: 9990025; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country B-Blocked"; flow: to_server; geoip:src,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI; sid: 9990026; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country C-Blocked"; flow: to_server; geoip:src,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ; sid: 9990027; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country D-Blocked"; flow: to_server; geoip:src,DK,DJ,DM,DO; sid: 9990028; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country E-Blocked"; flow: to_server; geoip:src,EC,EG,SV,GQ,ER,EE,ET; sid: 9990029; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country F-Blocked"; flow: to_server; geoip:src,FK,FO,FJ,FI,FR,GF,PF,TF; sid: 9990030; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country G-Blocked"; flow: to_server; geoip:src,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY; sid: 9990031; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country H-Blocked"; flow: to_server; geoip:src,HT,HM,VA,HN,HK,HU; sid: 9990032; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country I-Blocked"; flow: to_server; geoip:src,IS,IN,ID,IR,IQ,IE,IM,IL,IT; sid: 9990033; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country J-Blocked"; flow: to_server; geoip:src,JM,JP,JE,JO; sid: 9990034; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country K-Blocked"; flow: to_server; geoip:src,KZ,KE,KI,KP,KR,KW,KG; sid: 9990035; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country L-Blocked"; flow: to_server; geoip:src,LA,LV,LB,LS,LR,LY,LI,LT,LU; sid: 9990036; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country M-Blocked"; flow: to_server; geoip:src,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM; sid: 9990037; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country N-Blocked"; flow: to_server; geoip:src,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO; sid: 9990038; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country O-Blocked"; flow: to_server; geoip:src,OM; sid: 9990039; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country P-Blocked"; flow: to_server; geoip:src,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR; sid: 9990040; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country Q-Blocked"; flow: to_server; geoip:src,QA; sid: 9990041; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country R-Blocked"; flow: to_server; geoip:src,RE,RO,RU,RW; sid: 9990042; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country S-Blocked"; flow: to_server; geoip:src,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY; sid: 9990043; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country T-Blocked"; flow: to_server; geoip:src,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV; sid: 9990044; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country U-Blocked"; flow: to_server; geoip:src,UG,GB,UA,AE,UM,UY,UZ; sid: 9990045; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country V-Blocked"; flow: to_server; geoip:src,VU,VE,VN,VG,VI; sid: 9990046; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country W-Blocked"; flow: to_server; geoip:src,WF,EH,YE; sid: 9990047; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country Y-Blocked"; flow: to_server; geoip:src,YE; sid: 9990048; rev: 1;)
            drop ip any any -> any any (msg:"GeoIP Country Z-Blocked"; flow: to_server; geoip:src,ZM,ZW; sid: 9990049; rev: 1;)

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @Euman
              last edited by

              @Euman said in suricata (core dumped) after GeoLite2-Country database update:

              @bmeeks said "Are you actually using GeoIP rules?"

              Yes, I wrote a set of rules to use with GeoIP
              I wanted to capture all inbound activity from Countries not of US origin.

              drop ip any any -> any any (msg:"GeoIP Country A-Blocked"; flow: to_server; geoip:src,AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ; sid: 9990025; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country B-Blocked"; flow: to_server; geoip:src,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI; sid: 9990026; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country C-Blocked"; flow: to_server; geoip:src,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ; sid: 9990027; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country D-Blocked"; flow: to_server; geoip:src,DK,DJ,DM,DO; sid: 9990028; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country E-Blocked"; flow: to_server; geoip:src,EC,EG,SV,GQ,ER,EE,ET; sid: 9990029; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country F-Blocked"; flow: to_server; geoip:src,FK,FO,FJ,FI,FR,GF,PF,TF; sid: 9990030; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country G-Blocked"; flow: to_server; geoip:src,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY; sid: 9990031; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country H-Blocked"; flow: to_server; geoip:src,HT,HM,VA,HN,HK,HU; sid: 9990032; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country I-Blocked"; flow: to_server; geoip:src,IS,IN,ID,IR,IQ,IE,IM,IL,IT; sid: 9990033; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country J-Blocked"; flow: to_server; geoip:src,JM,JP,JE,JO; sid: 9990034; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country K-Blocked"; flow: to_server; geoip:src,KZ,KE,KI,KP,KR,KW,KG; sid: 9990035; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country L-Blocked"; flow: to_server; geoip:src,LA,LV,LB,LS,LR,LY,LI,LT,LU; sid: 9990036; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country M-Blocked"; flow: to_server; geoip:src,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM; sid: 9990037; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country N-Blocked"; flow: to_server; geoip:src,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO; sid: 9990038; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country O-Blocked"; flow: to_server; geoip:src,OM; sid: 9990039; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country P-Blocked"; flow: to_server; geoip:src,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR; sid: 9990040; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country Q-Blocked"; flow: to_server; geoip:src,QA; sid: 9990041; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country R-Blocked"; flow: to_server; geoip:src,RE,RO,RU,RW; sid: 9990042; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country S-Blocked"; flow: to_server; geoip:src,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY; sid: 9990043; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country T-Blocked"; flow: to_server; geoip:src,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV; sid: 9990044; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country U-Blocked"; flow: to_server; geoip:src,UG,GB,UA,AE,UM,UY,UZ; sid: 9990045; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country V-Blocked"; flow: to_server; geoip:src,VU,VE,VN,VG,VI; sid: 9990046; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country W-Blocked"; flow: to_server; geoip:src,WF,EH,YE; sid: 9990047; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country Y-Blocked"; flow: to_server; geoip:src,YE; sid: 9990048; rev: 1;)
              drop ip any any -> any any (msg:"GeoIP Country Z-Blocked"; flow: to_server; geoip:src,ZM,ZW; sid: 9990049; rev: 1;)

              Okay. Just checking because I've encountered some confusion among users in the past, mostly with the Snort OpenAppID rules but also with GeoIP in Suricata.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                I just enabled the GeoIP Database update option in a Suricata 6.0.13 install on a test virtual machine. Here are the system log entries (in reverse order, most recent entry listed first):

                Oct 17 12:06:02	php-fpm	380	/suricata/suricata_global.php: Configuration Change: admin@192.168.233.1 (Local Database): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_geoipupdate.php
                Oct 17 12:06:02	php-fpm	380	[Suricata] Cleaning up temp files after GeoLite2-Country database update.
                Oct 17 12:06:02	php-fpm	380	[Suricata] GeoLite2-Country database update completed.
                Oct 17 12:06:02	php-fpm	380	[Suricata] Moving new database to /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb...
                Oct 17 12:06:02	php-fpm	380	[Suricata] Extracting new GeoLite2-Country database from the archive...
                Oct 17 12:06:02	php-fpm	380	[Suricata] New GeoLite2-Country IP database gzip archive successfully downloaded.
                Oct 17 12:06:02	php-fpm	380	[Suricata] Downloading new GeoLite2-Country IP database...
                Oct 17 12:06:02	php-fpm	380	[Suricata] A new GeoLite2-Country IP database is available.
                Oct 17 12:06:01	php-fpm	380	[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
                Oct 17 12:06:01	check_reload_status	409	Syncing firewall
                Oct 17 12:06:01	php-fpm	380	/suricata/suricata_global.php: Configuration Change: admin@192.168.233.1 (Local Database): Suricata pkg: modified global settings.
                

                You can see in the bottom entry above where I enabled the GeoIP database download. Then next up (reading from bottom of log snippet above) you can see pfSense connecting to MaxMind and pulling down the latest database. It then set up the cron task to perform the daily update check.

                I'm going to let the test VM run a bit to see how things shake out.

                1 Reply Last reply Reply Quote 0
                • E
                  Euman
                  last edited by

                  feel free to use those rules I posted.. they've helped me in collecting data on world wide scanners, bots and malicious actors.
                  august thru september I had nearly 24,000 ip's, most of them compared with virustotal data points higher than a rating of 5.

                  I do hope your VM will allow you to see if the surricata issue is prevalent there and I'm not missing something here.

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @Euman
                    last edited by

                    @Euman said in suricata (core dumped) after GeoLite2-Country database update:

                    feel free to use those rules I posted.. they've helped me in collecting data on world wide scanners, bots and malicious actors.
                    august thru september I had nearly 24,000 ip's, most of them compared with virustotal data points higher than a rating of 5.

                    I do hope your VM will allow you to see if the surricata issue is prevalent there and I'm not missing something here.

                    I copied all of your rules into my test VM. I have it set for Legacy Mode Blocking with the "Block on DROPs Only" option checked. I can try Inline IPS Mode later, but I can't really see how the blocking mode would have any impact on the issue with updating the rules.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      Following up with the results of my "more than 24-hour" test.

                      I could not reproduce a crash in my test system. I saw the rules all update themselves overnight (per the logs) and both Suricata instances in the virtual machine were still running normally when I checked them today.

                      This was tested with Suricata 6.0.13 on pfSense CE 2.7.0 using a VMware Workstation virtual machine.

                      The default update interval for the GeoLite2-Country database is once per month on the 8th day of the month. That is not user-configurable unless you manually edit the pfSense cron tasks in config.xml, and that's not recommended. I used that update interval based on data at the time from MaxMind advising the GeoLite2 free database only updates once per month. I forget now the day of the month, but it was a day or two before my choice of the 8th day.

                      1 Reply Last reply Reply Quote 0
                      • E
                        Euman
                        last edited by

                        I think this is the issue and am waiting for results:

                        I had "Live Swap" enabled

                        Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update.

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @Euman
                          last edited by

                          @Euman said in suricata (core dumped) after GeoLite2-Country database update:

                          I think this is the issue and am waiting for results:

                          I had "Live Swap" enabled

                          Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update.

                          While everything is possible, I'm not sure how this setting would contribute to a Signal 10 Bus Error. Maybe there is an outside change the extra RAM use when this feature is enabled causes the use of a particularly problematic physical chip address ???

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.