Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata interfaces halting in legacy mode

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    6
    470
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgnoc
      last edited by

      I'm running a netgate XG-7100 running 23.09 and Suricata 7.0.2 (althought this was seemingly happening on the previous version, I had just not get identified the error in logs).

      I have 2 interfaces of several that I have monitoring on Suricata with different rulesets with legacy mode blocking enabled. Two interfaces have been halting for no reason I have been able to identify. I finally saw in the suricata.log file for the two interfaces, both are the same error, just one as W#03 and the other as W#01.

      [103343 - W#03] 2023-11-22 23:22:55 Error: spm-hs: Hyperscan returned fatal error -1.

      I tried updating to the most recent Suricata version when it came out, and have also tried deleting suricata, all of the suricata configs and then reloading everything from scratch, with no luck. The interface stays up and does block IPs for 5 to 10 minutes before crashing on one interface, and zero blocks on the other interface, but both go down at exactly the same second.

      Other similar interfaces are seemingly not affected and continue to run. I have been running this configuration for over a year without trouble, until recently. I don't have an exact timeline when I noticed the interfaces were halting, but it is relatively recent.

      Any information or troubleshooting I might be able to do to try and narrow down why this is occurring?

      1 Reply Last reply Reply Quote 0
      • S
        sgnoc
        last edited by sgnoc

        @bmeeks Is this perhaps related to https://forum.netgate.com/topic/184112/important-snort-and-suricata-package-announcement-probable-bug-in-legacy-blocking-module/4

        I didn't think it was, since I don't see anything showing a singal 11 fault anywhere, just the "Error: spm-hs: Hyperscan returned fatal error -1."

        Thanks!

        --- Edit ---

        Sorry! I just read where it is not related to the hyperscan issue. Odd none of this showed in searches before I posted. I'll try and continue reading for a solution if there is one. Thanks for all of your efforts on these packeges!

        1 Reply Last reply Reply Quote 0
        • S
          sgnoc
          last edited by

          Sorry all, this appears to be the same as:
          https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem/32?_=1700714079537

          I just checked and even though I updated to Suricata 7.0.2, it still shows hyperscan 5.4.0, which appears to be where the bug lies. I'm not sure why previous searches didn't show these results, so apologies for the duplicate post on the same issue. I'll follow the other topic going forward.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @sgnoc
            last edited by bmeeks

            @sgnoc said in Suricata interfaces halting in legacy mode:

            Sorry all, this appears to be the same as:
            https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem/32?_=1700714079537

            I just checked and even though I updated to Suricata 7.0.2, it still shows hyperscan 5.4.0, which appears to be where the bug lies. I'm not sure why previous searches didn't show these results, so apologies for the duplicate post on the same issue. I'll follow the other topic going forward.

            The library has not been updated yet. For starters, I have not yet been able to reproduce this error on my testing systems. And in some email conversations I've had with the upstream Suricata developer team, they indicated that 5.40 should be fine. It is 5.4.1 that has a problem. 5.4.0 and 5.4.2 should be okay.

            But until I can reliably reproduce the error during testing, I can't know if I've fixed it with any particular change. Therefore I'm reluctant to just start throwing changes at the package or its libraries hoping for the best. That could make it much worse.

            1 Reply Last reply Reply Quote 0
            • A
              ajohnson353
              last edited by

              Hello! I am also seeing Suricata crash after updating to CE 2.7.1. Last error before the crash is "[167966 - W#06] 2023-11-29 22:44:22 Error: spm-hs: Hyperscan returned fatal error -1." Restarting only brings it back for a few minutes.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @ajohnson353
                last edited by

                @ajohnson353 said in Suricata interfaces halting in legacy mode:

                Hello! I am also seeing Suricata crash after updating to CE 2.7.1. Last error before the crash is "[167966 - W#06] 2023-11-29 22:44:22 Error: spm-hs: Hyperscan returned fatal error -1." Restarting only brings it back for a few minutes.

                That issue is being discussed in this thread: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem. Please post comments or questions over there to keep the discussion in a single thread.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post