Suricata 4.1.X interface stopping [Sorted by going back to Snort]

r43K9o

@bmeeks Ok, sorry I'm dumb process is running under PHP... This is everything what happened from update... As far as i know interface monitoring "crashed once during that time"

(I had to upload it as a file because othervise it was flaget as spam for some reason)

suricata log.txt

Suricata was restarted once in the morning because LAN interface monitoring was down and then shortly after I upgraded to 4.6.1 which I assume causes restart.

bmeeks

@r43K9o said in Suricata 4.1.X interface stopping:

@bmeeks Ok, sorry I'm dumb process is running under PHP... This is everything what happened from update... As far as i know interface monitoring "crashed once during that time"

(I had to upload it as a file because othervise it was flaget as spam for some reason)

suricata log.txt

Suricata was restarted once in the morning because LAN interface monitoring was down and then shortly after I upgraded to 4.6.1 which I assume causes restart.

Your LAN interface is the one crashing. Here is the log entry:

Jan 10 10:12:41	kernel		pid 92275 (suricata), uid 0: exited on signal 11 (core dumped)

And when that interface instance crashes, it will leave its PID file in /var/run/ and thus you get the subsequent startup error about a stale PID file.

Why it crashed is not logged (and thus not known). Very well could be a rule that is causing it. The Suricata binary has had issues from time to time with buggy code because they maintain a fairly rapid update/release schedule as compared to Snort. So bugs come and go with new versions of the binary.

I would disable all of the LAN rules temporarily and then start adding them back one category at the time to see if you can pinpoint which rule category might be causing the issue. For now, a rule problem would be my first guess as to what's happening.

r43K9o

@bmeeks Ok, thank you for your time I will have a look. I did apply Security IPS Policy so there is quite few rules even thou I disabled few of them already.

I would just like to ask one question that came to my mind after your respnse. Is it possible that surricata could kill the interface in some way that it woulnd not manage to come up again?
It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic. I doubt that it is HW problem because I have Intel NICs but who knows, in the worst case I will go back to snort which I have a good long experince with...

bmeeks

@r43K9o said in Suricata 4.1.X interface stopping:

@bmeeks Ok, thank you for your time I will have a look. I did apply Security IPS Policy so there is quite few rules even thou I disabled few of them already.

I would just like to ask one question that came to my mind after your respnse. Is it possible that surricata could kill the interface in some way that it woulnd not manage to come up again?
It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic. I doubt that it is HW problem because I have Intel NICs but who knows, in the worst case I will go back to snort which I have a good long experince with...

Not likely unless you are trying to use the Inline IPS Mode. That mode uses netmap, and there are quite a number of NIC drivers that do not work well at all with the netmap device module. That's a FreeBSD issue and not a direct Suricata issue. I see that your LAN and WIFI links appear to be Broadcom NICs. That brand does not work with netmap mode very well.

The default blocking mode is Legacy Blocking Mode. That mode uses libpcap, which should not cause an issue with any NIC driver.

r43K9o

@bmeeks Yes I use Legacy mode, newer touch the Inline IPS Mode... Thank you.

bmeeks

@r43K9o said in Suricata 4.1.X interface stopping:

@bmeeks It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic.

You could have some kind of hardware issue on the box. You said you migrated from a virtual appliance to actual hardware. Did all the NIC drivers get updated in config.xml? Did you start fresh or did you import the old configuration from the VM? Something may need changing if you imported from virtual hardware onto actual hardware.

Certainly won't hurt anything to try Snort, though. If you do, report back on the results.

Edit: read your original post again after posting this reply and see that one of my questions was already answered.

r43K9o

@bmeeks HW is based on HPE ProLiant MicroServer Gen10
Onboard NICs used for local network are Broadcom 5720 which should use driver bge and intel NICs are Intel 82 576 which are igb so I assume that drivers are correct.

System sees about 45% CPU usage at peeks and it uses about 30 % of 8GB RAM...

bmeeks

Do the instances of stopped traffic flow happen with Suricata disabled? You need to start some systematic troubleshooting by elminating variables and then slowly adding them back one-by-one to see what might be the cause.

Eliminating all packages would be the first option. Let the system run as a basic firewall and see how stable it is. Then starting adding packages back. When you get to Suricata, just activate one interface at a time. Let each one run for some period of time (maybe hours or even a day or two) to see how stable the firewall is.

r43K9o

@bmeeks I started to discus the crashing link with IS provider because it was quite weird state, both machines were sending packets but neither of them received anything. so we changed some cables did some config checks but neither of us could find anything wrong with either device because both machines worked quite happily with other HW but not with each other, everything went quiet after I noticed that in ARP table the link/mac address of gateway on WAN expired randomly which of course was followed by lost connection so I set the mac address of the gateway as permanent and the problem did not repeat since. I will wait for another week or so to confirm that this fixes the problem before I inform the ISP. But I know that he uses that gateway for large number of other customers, without problem so I doubt that he will be able to help me with anything.
I disabled Suricata and installed snort and I will be adding functionality slowly back.

r43K9o

Ok, so after 5 days of running snort with same rulset as suricata without single problem I would say that suricata was a problem. So I will keep using snort as stability is more important for me.
Thank you for help!