Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - interface show the service as stopped after sometime.

    IDS/IPS
    3
    19
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tchadrack
      last edited by tchadrack

      I enabled suricata in 2 interfaces, LAN (internal) and WAN (internet). Under Wan, it is blocking, and under Lan it is just giving alerts, without blocking nothing. I am using legacy mode, because my interface dont support that mode, according pfsense. I tried to enable the suricata in just one interface, but the same thing keeps happening.

      It is working perfectly; but after some time (several hours), under the "Services/Suricata /interfaces" page, the "suricata status" keeps showing as offline (not in execution).

      I used the shell over ssh, and realized that the process of suricata is still being executed, and working "normallly". (ps aux | grep suricata)

      But the suricata.pid files under /var/run keeps disapperaring from the that directory after some time. That is the motive that the web interface shows the service as offline.

      what am I missing here? Is there some misconfiguration? Or is there some kind of script that is deleting those files?

      Pfsense Version:
      2.7.2-RELEASE (amd64)
      Version information updated at Sun Jan 19 17:46:53 -03 2025

      Suricata version: suricata-7.0.8

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Look at the suricata.log for the affected interface under LOGS VIEW in the Suricata package GUI. That should show something that may give a clue as to what's happening. Also check the pfSense system log to see what is logged there.

        If the PID file is disappearing, then the processes are being terminated gracefully for some reason. If crashing, typically the PID file gets left behind in /var/run, and that prevents a subsequent startup in the GUI and logs an error about the existing PID file.

        Are you sure you were seeing a fully running Suricata PID line, or perhaps just the result of your grep search command? It's odd to see processes running but no matching PID file in /var/run. You may have a zombie Suricata process running. Try killing all instances of Suricata at the shell prompt as follows:

        kill -9 <PID>

        where <PID> is the Process ID of any running Suricata process. After that, restart Suricata using the icons in the GUI on the INTERFACES tab of the Suricata package.

        It could be that your Suricata instance is updating its rules and then failing during the restart. You should find a clue why in either the suricata.log mentioned above or in the pfSense system log.

        Post back any messages you find to this thread.

        T 1 Reply Last reply Reply Quote 0
        • T
          tchadrack @bmeeks
          last edited by tchadrack

          @bmeeks Ok. the suricata crashed again. According to the logs, it was during the update.

          This is the final piece of Suricata.log

          [101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "icmpv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "ipv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:47:26 Info: runmodes: Using 1 live device(s).
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: snaplen set to 1518
[101363 - Suricata-Main] 2025-01-20 18:47:26 Notice: threads: Threads created -> RX: 1 W: 2 FM: 1 FR: 1   Engine started.
[291538 - RX#01-pppoe0] 2025-01-20 18:47:30 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used

          Notice, the log shows suricata restarting... Because the suricata is running, indeed, regard of being shown as down.

          Now, this is system.log showing the time suricata got shot down. It was during the update process:

          8:46:07	php-cgi	57307	[Suricata] ABUSE.ch SSL Blacklist rules were updated...
Jan 20 18:46:08	php-cgi	57307	[Suricata] Updating rules configuration for: LAN ...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Enabling any flowbit-required rules for: LAN...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Building new sid-msg.map file for LAN...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Suricata STOP for LAN(re0)...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Suricata START for LAN(re0)...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Suricata has restarted with your new set of rules for LAN...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Updating rules configuration for: WANVIVOFIBRA ...
Jan 20 18:46:26	php-cgi	57307	[Suricata] Enabling any flowbit-required rules for: WANVIVOFIBRA...
Jan 20 18:46:27	php-cgi	57307	[Suricata] Building new sid-msg.map file for WANVIVOFIBRA...
**Jan 20 18:46:27	php-cgi	57307	[Suricata] Suricata STOP for WAN(pppoe0)...**
Jan 20 18:46:33	kernel		pppoe0: promiscuous mode disabled
**Jan 20 18:46:42	php-cgi	57307	[Suricata] Suricata START for WAN(pppoe0)...**
Jan 20 18:46:42	php-cgi	57307	[Suricata] Suricata has restarted with your new set of rules for WANVIVOFIBRA...
Jan 20 18:46:42	php-cgi	57307	[Suricata] The Rules update has finished.
Jan 20 18:47:26	kernel		pppoe0: promiscuous mode enabled

          It got stopped at 18:46:27 and restarted at 18:46:42.

          The suricata / interface show suricata as down.

          But it is running, this is the result of ps aux | grep suricata:

          [2.7.2-RELEASE][admin@****.********..lan]/var/run: ps aux | grep surica
root    66156   0.0  4.7  572652  289280  -  SNs  18:46       1:02.37 /usr/local/bin/suricata -i re0 -D
root    99211   0.0  6.0  583408  368304  -  SNs  18:46       1:08.29 /usr/local/bin/suricata -i pppoe0
root    75098   0.0  0.0   12752    2144  0  S+   20:27       0:00.00 grep surica

          And this is the content of /var/run:

          [2.7.2-RELEASE][admin@******.*********.lan]/var/run: ls
bandwidthd.pid
check_reload_status
cp_prunedb_*******_celular.pid
cron.pid
devd.pid
devd.pipe
devd.seqpacket.pipe
dmesg.boot
dnsbl.pid
dpinger_WANVIVOFIBRA_PPPOE~************~***********.pid
dpinger_WANVIVOFIBRA_PPPOE~************~***********.sock
expire_accounts.pid
filter_reload_status
filterdns.pid
filterlog.pid
ipsec_keepalive.pid
kea
ld-elf.so.hints
ld-elf32.so.hints
log
logpriv
nginx-*******_celular-CaptivePortal.pid
nginx-webConfigurator.pid
nginx.pid
ntopng.pid
ntpd.pid
openvpn_server2.pid
pfSense-upgrade-GUI.pid
pfSense_version
pfSense_version.rc
php-fpm.pid
php-fpm.socket
ping_hosts.pid
pppoe_wan.pid
radiusd.pid
sshd.pid
syslog.pid
unbound.pid
update_alias_url_data.pid
updaterrd.sh.pid
utmp
utx.active
vnstat

          Notice, that suricata pid file is not here.. That is the motive why Suricata / Interfaces page shows them as down.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @tchadrack
            last edited by bmeeks

            @tchadrack said in Suricata - interface show the service as stopped after sometime.:

            Notice, that suricata pid file is not here.. That is the motive why Suricata / Interfaces page shows them as down.

            Yes, that is why the GUI interface code thinks it is not running. It checks for the presence of a PID file named with the UUID of the interface.

            I have no idea why the PID files would be missing, though. They are created by the Suricata binary as part of its startup procedure. The GUI code has nothing to do with that. It simply checks they are present to determine which icon to display -- Suricata "running" or "stopped".

            T 1 Reply Last reply Reply Quote 0
            • T
              tchadrack @bmeeks
              last edited by tchadrack

              Thankyou. I believe more people could be facing the same issue. So anyone here could help us to know what is happening?

              Obs: I tried to update Suricata before, but it didnt help

              Complete start up log of suricata:

              [104357 - Suricata-Main] 2025-01-20 18:46:42 Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: cpu: CPUs/cores online: 2
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: suricata: Setting engine mode to IDS mode by default
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: app-layer-htp-mem: HTTP memcap: 67108864
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: alert-pf output device (regular) initialized: block.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_30338_pppoe0/passlist.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_30338_pppoe0/passlist processed: Total entries parsed: 19, IP addresses/netblocks/aliases added to No Block list: 19, IP addresses/netblocks ignored because they were covered by existing entries: 0.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c  block-ip=both  kill-state=yes  block-drops-only=no  passlist-debugging=no
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Creating initial automatic firewall interface IP address pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv4 address 192.168.1.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv4 address 10.10.10.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re1 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe68:287a to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:7011 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.254 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.77 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.12 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface pppoe0 IPv4 address 201.42.100.58 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface pppoe0 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface ovpns2 IPv4 address 10.0.1.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: fast output device (regular) initialized: alerts.log
[291532 - Suricata-IM#01] 2025-01-20 18:46:42 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 initializing.
[291532 - Suricata-IM#01] 2025-01-20 18:46:42 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 startup completed successfully.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: http-log output device (regular) initialized: http.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: tls-log output device (regular) initialized: tls.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[101363 - Suricata-Main] 2025-01-20 18:46:42 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27
[100122 - Suricata-Main] 2025-01-20 18:46:50 Notice: device: pppoe0: packets: 3049877, drops: 17009 (0.56%), invalid chksum: 0
[101363 - Suricata-Main] 2025-01-20 18:46:50 Error: detect-tls-ja3-hash: ja3 support is not enabled
[101363 - Suricata-Main] 2025-01-20 18:46:50 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CIS] Gootloader C2 Activity - Windows Server 2016 - barefootinc.com[.]au"; flow:established,to_server; ja3.hash; content:"ae76f123158d52fd84c2c313c0c724ac"; tls.sni; bsize:18; content:"barefootinc.com.au"; nocase; startswith; fast_pattern; threshold: type limit, track by_src, seconds 3600, count 1; classtype:domain-c2; sid:2058287; rev:1; metadata:affected_product Windows_Server_2016, attack_target Client_Endpoint, created_at 2024_12_15, deployment Perimeter, malware_family GootLoader, confidence High, signature_severity Major, updated_at 2024_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:dest_ip;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 19207
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-urilen: depth or urilen 11 smaller than content len 17
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 26215
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 26822
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27046
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-pcre: unknown regex modifier 'K'
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27112
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-parse: "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27175
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-isdataat: pcre2_substring_get_bynumber failed
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Backdoor.PygmyGoat inbound connection attempt"; flow:to_client,established; content:"SSH-2.0-D8pjE|0D 0A|"; depth:15; isdataat:!15,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:url,ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:64295; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27312
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: detect: 3 rule files processed. 34719 rules successfully loaded, 11 rules failed, 0
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210038, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210044, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2200070, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2520113, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2200075, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210020, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210029, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210045, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210046, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2260002, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2221034, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2221033, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2230010, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2230010, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: threshold-config: Threshold config parsed: 24 rule(s) found
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: detect: 34723 signatures processed. 1178 are IP-only rules, 3470 are inspecting packet payload, 28580 inspect application layer, 107 are decoder event only
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: UDP toserver: 41 port groups, 24 unique SGH's, 17 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: UDP toclient: 21 port groups, 13 unique SGH's, 8 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Unique rule groups: 101
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver TCP packet": 31
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient TCP packet": 16
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver TCP stream": 30
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient TCP stream": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver UDP packet": 24
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient UDP packet": 13
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "other IP packet": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_uri (http)": 23
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 23
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_line (http)": 7
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 7
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver htt⁴p_accept (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "icmpv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "ipv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:47:26 Info: runmodes: Using 1 live device(s).
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: snaplen set to 1518
[101363 - Suricata-Main] 2025-01-20 18:47:26 Notice: threads: Threads created -> RX: 1 W: 2 FM: 1 FR: 1   Engine started.
[291538 - RX#01-pppoe0] 2025-01-20 18:47:30 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used

              ps aux | grep suricata

              [2.7.2-RELEASE][admin@*****.*******.lan]/root: ps aux | grep surica
root    66156   0.0  2.0  572652  123832  -  SNs  18:46       3:40.11 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_58258_re
root    99211   0.0  2.4  586480  143904  -  SNs  18:46       4:20.86 /usr/local/bin/suricata -i pppoe0 -D -c /usr/local/etc/suricata/suricata_30338
              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @tchadrack
                last edited by

                @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                Thankyou. I believe more people could be facing the same issue. So anyone here could help us to know what is happening?

                Obs: I tried to update Suricata before, but it didnt help

                Complete start up log of suricata:

                [2.7.2-RELEASE][admin@*****.*******.lan]/root: ps aux | grep surica
root    66156   0.0  2.0  572652  123832  -  SNs  18:46       3:40.11 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_58258_re
root    99211   0.0  2.4  586480  143904  -  SNs  18:46       4:20.86 /usr/local/bin/suricata -i pppoe0 -D -c /usr/local/etc/suricata/suricata_30338

                And immediately after this did you check in /var/run for any files with suricata in their name? If the binary starts, it should be creating the PID file in that directory. If that is failing, perhaps there is a permissions or even disk space issue ???

                Realtek NICs are not the best for use on FreeBSD, but even still I don't see how that could be related to not creating a PID file.

                Try this --

                Kill all the running Suricata processes using this command from a shell prompt:

                kill <PID>

                Once all running Suricata processes are terminated, return to the GUI and go to the INTERFACES tab in Suricata and click the icon to start each interface. Report back on what happens then.

                T 1 Reply Last reply Reply Quote 0
                • T
                  tchadrack @bmeeks
                  last edited by tchadrack

                  @bmeeks said in Suricata - interface show the service as stopped after sometime.:

                  And immediately after this did you check in /var/run for any files with suricata in their name? If the binary starts, it should be creating the PID file in that directory. If that is failing, perhaps there is a permissions or even disk space issue ???

                  I didnt, because the down status on web interface only happens after some time and not imediatelly. Sometimes, they can be up for more than one day, even more.

                  @bmeeks said in Suricata - interface show the service as stopped after sometime.:

                  Kill all the running Suricata processes using this command from a shell prompt: kill <PID>
                  Once all running Suricata processes are terminated, return to the GUI and go to the INTERFACES tab in Suricata and click the icon to start each interface. Report back on what happens

                  I tried to do it already. I've killed all suricata processes and started again from web interface.

                  What happens is that they start and work normally, showing themselves as up in the web interface. But after some time, when I open and look into web interface, they are showing as down.

                  If I go on the shell i can see they are up, but without the pid file on /var/run

                   0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.7.2-RELEASE][admin@****************]/root: cd /var/run
[2.7.2-RELEASE][admin@****************]/var/run: ls | grep surica
[2.7.2-RELEASE][admin@****************]/var/run: ps aux | grep suric
root    66156   0.0  1.2  581868   74928  -  SNs  18:46       5:08.75 /usr/local/bin/suricata -i re0 -D
root    99211   0.0  1.6  586480   95276  -  SNs  18:46       6:00.33 /usr/local/bin/suricata -i pppoe0
root    49197   0.0  0.0   12752    2136  0  S+   16:49       0:00.00 grep suric
[2.7.2-RELEASE][admin@****************]/var/run: kill -9 66156
[2.7.2-RELEASE][admin@****************]/var/run: kill -9 99211
[2.7.2-RELEASE][admin@****************]/var/run: ps aux | grep suric
root    42936   0.0  0.0   12752    2140  0  S+   16:50       0:00.00 grep suric
(here I started suricata under the web interface)
[2.7.2-RELEASE][admin@****************]/var/run: ls | grep surica
suricata_pppoe030338.pid
suricata_re058258.pid

                  After killing the processes, restarting them from web interface, the pid files are created inside /var/run

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by bmeeks

                    Okay, let's try an experiment.

                    Go to the GLOBAL SETTINGS tab in Suricata and check the box for Live Rule Swap on Update (if it is not already checked). Save that change.

                    Next, kill the Suricata processes from the shell prompt as explained in my post above, then restart Suricata on each interface in the GUI. Let's see if that keeps the GUI's status in sync with the actual processes.

                    Something is deleting the PID files, but I currently do not really know what that is. And my guess is it happens during the periodic rules update when Suricata is normally restarted. Checking the box I noted prevents a physical restart of Suricata and instead tells it to live reload the updated rules.

                    The outcome of this experiment may give me a clue (or at least help me narrow down where to be looking).

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      tchadrack @bmeeks
                      last edited by

                      @bmeeks Okay, i've done it. I will return later with more information about what happened. Thank you

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @tchadrack
                        last edited by

                        @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                        @bmeeks Okay, i've done it. I will return later with more information about what happened. Thank you

                        Okay. Also, I did not see it in your process list captures, but make sure you are NOT using the Service Watchdog package to monitor Suricata. That package is not compatible with either Suricata or Snort.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          tchadrack @bmeeks
                          last edited by

                          @bmeeks

                          root    78291   0.0  4.8  765872  291224  -  Ss   17:00       6:31.07 /usr/local/bin/suricata -i pppoe0
root    86453   0.0  5.3  872748  325348  -  Ss   17:00       6:37.23 /usr/local/bin/suricata -i re0 -D

                          Up to now the web interface is showing the suricata service as up and running (pid files present in /var/run)

                          Watchdog is running, but not enabled for suricata

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @tchadrack
                            last edited by bmeeks

                            @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                            @bmeeks

                            root    78291   0.0  4.8  765872  291224  -  Ss   17:00       6:31.07 /usr/local/bin/suricata -i pppoe0
root    86453   0.0  5.3  872748  325348  -  Ss   17:00       6:37.23 /usr/local/bin/suricata -i re0 -D

                            Up to now the web interface is showing the suricata service as up and running (pid files present in /var/run)

                            Watchdog is running, but not enabled for suricata

                            Okay. I think I may know what could be happening. I notice you appear to have stats collection enabled based on the log entries I saw in the suricata.log snippet you posted. I'm suspecting your instance is either taking a long time to shutdown (due to collecting and printing the stats summary) or it is not actually fully shutting down during the rules update. But the PHP function that restarts Suricata after a rule update does unconditionally delete the PID file when stopping the binary to be sure the subsequent restart will succeed. I think I may need to make that code "smarter" so that it does more thorough checks before deleting the PID.

                            The change I had you make skips restarting the binary on rules updates. It instructs Suricata to reload the rules while still running. That way the PID file is not deleted. The only downside to that is a temporary increase in RAM consumption while the rules swap is happening. That can be a problem only with installs that have limited RAM.

                            T 1 Reply Last reply Reply Quote 0
                            • T
                              tchadrack @bmeeks
                              last edited by

                              @bmeeks Ok, Thankyou.

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks @tchadrack
                                last edited by

                                @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                                @bmeeks Ok, Thankyou.

                                I also recall, quite some time back- maybe around the time Suricata upstream was still in the 2.x or 3.x version branch- that sometimes the binary would not respond to the first "shutdown" command issued. It would sometimes take two cycles of issuing shutdown to the process to get Suricata to honor the request. Perhaps that is happening here again in this particular instance. The one thing you appear to have enabled that is not normally enabled by the majority of users is the stats collection option. That may figure in here.

                                I will try and replicate this in my test virtual machine environment. I don't normally test with stats collection enabled, so I need to specifically test with that option enabled.

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @tchadrack:
                                  I was not able to replicate the exact behavior you are seeing, but I did find some potential edge-case scenarios where the PID file might get deleted prematurely.

                                  I've submitted Pull Requests to address some issues in the package and also cleanup the Suricata binary startup and shutdown scripts. Look for a new 7.0.8_1 Suricata package version to appear in the near future containing these improvements.

                                  The Pull Requests are waiting on the Netgate developer team to review and merge them into the pfSense branches for CE, DEVEL, and Plus. Here is the PR for the current CE Release: https://github.com/pfsense/FreeBSD-ports/pull/1404.

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    btspce
                                    last edited by

                                    @bmeeks Just updated to 7.0.8_1. Thanks !

                                    bmeeksB 1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks @btspce
                                      last edited by

                                      @btspce said in Suricata - interface show the service as stopped after sometime.:

                                      @bmeeks Just updated to 7.0.8_1. Thanks !

                                      I am cautiously optimistic this update helps with your issue. But since I could not directly reproduce the problem in my test environment, I had to proceed with a bit of guess as to what the cause and fix might be.

                                      Please post back here later with an update.

                                      T 1 Reply Last reply Reply Quote 0
                                      • T
                                        tchadrack @bmeeks
                                        last edited by

                                        @bmeeks Using the "Live Rule Swap on Update" option checked, resolves the problem. Suricata worked for several days, with no issue.

                                        I updated to the new version of suricata, unchecked "Live Rule Swap on Update" to test and see what would happen.

                                        Unfortunately, the problem continues, so I am still using the Live Rule Swap on Update, that is working very well.

                                        T 1 Reply Last reply Reply Quote 0
                                        • T
                                          tchadrack @tchadrack
                                          last edited by tchadrack

                                          @tchadrack

                                          Thermal Sensors
                                          Zone 1: 29.9 °C
                                          Zone 0: 27.9 °C

                                          Name ..**
                                          User admin@192.168..** (Local Database)
                                          System pfSense
                                          Netgate Device ID: ******************
                                          BIOS Vendor: American Megatrends Inc.
                                          Version: F2
                                          Release Date: Mon Oct 7 2013
                                          Version 2.7.2-RELEASE (amd64)
                                          built on Fri Dec 8 17:55:00 -03 2023
                                          FreeBSD 14.0-CURRENT

                                          The system is on the latest version.
                                          Version information updated at Sat Feb 1 9:35:25 -03 2025
                                          CPU Type Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
                                          2 CPUs: 1 package(s) x 2 core(s)
                                          AES-NI CPU Crypto: No
                                          QAT Crypto: No
                                          Hardware crypto Inactive
                                          Kernel PTI Enabled
                                          MDS Mitigation Inactive
                                          Uptime 1 Day 03 Hours 20 Minutes 04 Seconds
                                          Current date/time
                                          Sat Feb 1 9:44:46 -03 2025
                                          DNS server(s)
                                          8.8.8.8
                                          8.8.4.4
                                          Last config change Sat Feb 1 9:05:02 -03 2025
                                          State table size
                                          0% (222/1000000) Show states
                                          MBUF Usage
                                          5% (18856/371768)
                                          Temperature
                                          27.9°C
                                          Load average
                                          0.47, 0.48, 0.42
                                          CPU usage
                                          4%
                                          Memory usage
                                          53% of 5980 MiB
                                          SWAP usage
                                          17% of 3851 MiB

                                          DISKS:
                                          Mount Used Size Usage
                                          / 28G 447G
                                          7% of 447G (ufs)

                                          SERVICES:
                                          arpwatch Arpwatch Daemon
                                          bandwidthd BandwidthD bandwidth monitoring daemon
                                          captiveportal Captive Portal: **********
                                          darkstat Darkstat bandwidth monitoring daemon
                                          dpinger Gateway Monitoring Daemon
                                          kea-dhcp4 Kea DHCP Server
                                          ntopng ntopng Network Traffic Monitor
                                          ntpd NTP clock sync
                                          openvpn OpenVPN server: *************
                                          pfb_dnsbl pfBlockerNG DNSBL service
                                          pfb_filter pfBlockerNG firewall filter service
                                          radiusd FreeRADIUS Server
                                          sshd Secure Shell Daemon
                                          suricata Suricata IDS/IPS Daemon
                                          syslogd System Logger Daemon
                                          unbound DNS Resolver
                                          vnstatd Status Traffic Totals data collection daemon

                                          S.M.A.R.T. Status
                                          Drive Ident S.M.A.R.T. Status
                                          ada0 WD-************ PASSED

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.