Suricata blocking networks in Pass List

rearden27

I am running 2.5.2-RELEASE (amd64) and Suricata 6.0.0_14 in Legacy mode on the LAN interface.
I am pretty sure this is a PEBKAC error but I have not been able to find where I have gone wrong in my settings.

Suricata will block both the LAN IP (192.168.5.174) and the WAN side address even though the Pass List shows the LAN (192.168.5.0/24) should be excluded.

What else should I check?

bmeeks

That clearly should not happen. But I've tried and tried to reproduce this problem in my test machines and failed. You are not the first user to report it, but it is somewhat rare and random.

The custom blocking module compiled into Suricata for pfSense makes use of a built-in feature in the binary called a Radix Table. That code lets you store IP addresses and subnets into the table, and then later make calls to a "test/compare" function that determines if a passed IP address is contained within an IP entry in the Radix Table. If that lookup fails (meaning the function returns and says the IP address is not covered by an existing Radix Table entry), then the IP is blocked. If the Radix Table function call returns and says the tested IP is covered by an existing Radix Table entry, the IP is not blocked.

Obviously, for the users that sporadically report this problem, the Radix Table is not correctly testing the passed in IP address. All entries read from a Pass List are added to the Radix Table by the custom blocking plugin. I will dig into this once again to see if I have missed something. But I really suspect an obscure bug in the Radix Table code itself, but I'm not an expert in that code for sure.

rearden27

@bmeeks Thank you for your quick reply. Tell me if there are logs which may be helpful or suggested work arounds.

rearden

bmeeks

@rearden27 said in Suricata blocking networks in Pass List:

@bmeeks Thank you for your quick reply. Tell me if there are logs which may be helpful or suggested work arounds.

rearden

No, unfortunately there are no logs that will help as nothing to do with the Radix Tree is logged anywhere. And I don't know of a workaround because I honestly have never been able to find the problem. Not doubting folks have the issue, because it has been reported by several users. But it is fairly rare, and seems somewhat random.

If I could reliably duplicate the issue, it would be a piece of cake to debug and fix. But every single time I've tested in my virtual machine test environment, I can't make the problem occur. Not once have I made it happen for me. One user even sent me his entire Pass List, and I copied it verbatim into two different virtual machines and tested. Could not get his problem to replicate for me. Still not doubting he has the issue, because I could see his blocks in his screen caps like I see yours, but I just could not duplicate it so I could debug and troubleshoot it.

SteveITS

@rearden27 If you restart Suricata on LAN does it still recur? Do the Home and External lists look OK?

bmeeks

I suppose it's within the realm of possibility that the problem is a threading concurrent access one. Although the blocking plugin code, during normal runtime, will only ever read from the Radix Table. It adds addresses to the table during the initial startup of Suricata, but not afterwards.

That could explain why the bug appears somewhat random. This is just an hypothesis, though.

Cool_Corona

I had the same issue some time ago. I rebooted the FW and havent seen the problem since.

viktor_g

@cool_corona said in Suricata blocking networks in Pass List:

I had the same issue some time ago. I rebooted the FW and havent seen the problem since.

@bmeeks, something like https://redmine.pfsense.org/issues/12322 ?..

bmeeks

@viktor_g said in Suricata blocking networks in Pass List:

@cool_corona said in Suricata blocking networks in Pass List:

I had the same issue some time ago. I rebooted the FW and havent seen the problem since.

@bmeeks, something like https://redmine.pfsense.org/issues/12322 ?..

No, this problem is not an error in the YAML config. The Pass List is a separate text file written to the interface subdirectory under /usr/local/etc/suricata/. The text file can be opened and read in any text editor. The custom blocking module within the binary opens and reads in the contents of the text file during startup initialization of Suricata.

In the past, when other users have checked the text file, it contained the proper information. So I suspect the OP will find that his file, too, contains the proper networks. Something happens randomly, I suspect, in the code that is testing IP addresses pulled from the alerts against the addresses and/or subnets stored in the Radix Tree table, such that it fails to find a match when it should. That would lead to erroneous blocking of Pass List IP addresses.

Bob.Dig

@rearden27 What hardware are you using?

rearden27

I have rebooted several times. This has been happening for a while. I have just gotten around to spending some time on it.

I am running on a Dell Optiplex 3020 minipc with a Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz and 16GB. It has one built in nic (WAN interface) and I have two usb nics. One is a Pluggable 2.5G (LAN interface) and the other is an old 100mbit (for the OPT interface). All are Realtek. I am using the updated FreeBSD Realtek driver. The only option for expansion is a m.2 slot, so I have been unable to find an option to use it as a nic which will work in the system.

The system is pretty simple, no VLANs, no virtualization. Suricata is on the LAN. The only installed extra packages are PFblockerNG-devel and Status Traffic Totals. The install is only about a month old.

The HOME LIST contains 192.168.5.0/24 and the External Net has !192.168.5.0/24 they are all Default.

SteveITS

@rearden27 Brainstorming, can you see in the system logs if the USB LAN is coming up after Suricata starts?

What if you create your own pass list for Pass List or maybe Home Net, check all the boxes, and ensure 192.168.5.0/24 is in the alias? I wonder if that might fool it into adding that network even if it's not seen properly at startup.

Also note I suggested restarting Suricata, not pfSense, since all interfaces are (now) up.

bmeeks

If you want to verify the subnet is actually present in the loaded Pass List, just do this:

1. Go to the DIAGNOSTICS > EDIT FILE menu choice in pfSense.

2. Browse to the following location: /usr/local/etc/suricata/suricata_xxxxx/ where xxxxx is going to be a string composed of the physical interface name and a random UUID number.

3. In that subdirectory, click on the passlist file to view its contents.

Verify the IP addresses and subnets shown. Everything is plaintext. I'm betting the 192.168.5.0/24 subnet will be properly showing. If it's not (which I doubt), then you've found the problem. But I suspect it will be showing. In that case the problem is back to a random issue within the binary code of Suricata and has nothing at all to do with the PHP GUI code.

SteveITS

@bmeeks said in Suricata blocking networks in Pass List:

random issue within the binary code of Suricata

Has anyone reported this with Snort? If not that could be an option for OP.

(we've not seen this for any of our clients' instances, with either)

rearden27

I have created a custom Passlist and verified that it contains 192.168.5.0/24

I have restarted Suricata.

I will wait and see if blocks any LAN addreses.

Here is the OS boot log. I did have to modify the script to get the usb to automatically find the usb.
<earlyshellcmd>usbconfig -d 0.5 set_config 1</earlyshellcmd>
and you can see the:
ugen0.5: <Realtek USB 10/100/1G/2.5G LAN> at usbus0
in the log.

On the dashboard Interfaces there is an oddity, in that it does not report 1000baseT <full-duplex>. It is just blank for the LAN interface.
WAN 1000baseT <full-duplex> 67.191.rem.ove
2001:558:6011:4a:a036:3f37:remo:vedd

LAN 192.168.5.1
2601:cc:c100:e96:8eae:4cff:fedd:17b0

OPT1 100baseTX <full-duplex> 192.168.5.244

Copyright (c) 1992-2020 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense amd64
FreeBSD clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
VT(vga): resolution 640x480
CPU: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz (1995.43-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x306c3 Family=0x6 Model=0x3c Stepping=3
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x7ffafbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
AMD Features2=0x21<LAHF,ABM>
Structured Extended Features=0x27ab<FSGSBASE,TSCADJ,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG>
XSAVE Features=0x1<XSAVEOPT>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics
real memory = 17179869184 (16384 MB)
avail memory = 16518086656 (15752 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <DELL CBX3 >
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
Launching APs: 1 2 3
Timecounter "TSC" frequency 1995425748 Hz quality 1000
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xffffffff8073dd40, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xffffffff8073ddf0, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xffffffff8073dea0, 0) error 1
iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff80765730, 0) error 1
iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff807657e0, 0) error 1
iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80765890, 0) error 1
wlan: mac acl policy registered
random: entropy device external interface
module_register_init: MOD_LOAD (vesa, 0xffffffff8140c3e0, 0) error 19
kbd1 at kbdmux0
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
[ath_hal] loaded
000.000056 [4336] netmap_init netmap: loaded module
mlx5en: Mellanox Ethernet driver 3.5.2 (September 2019)
nexus0
vtvga0: <VT VGA driver> on motherboard
cryptosoft0: <software crypto> on motherboard
padlock0: No ACE support.
acpi0: <DELL CBX3 > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 550
Event timer "HPET1" frequency 14318180 Hz quality 440
Event timer "HPET2" frequency 14318180 Hz quality 440
Event timer "HPET3" frequency 14318180 Hz quality 440
Event timer "HPET4" frequency 14318180 Hz quality 440
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0xf000-0xf03f mem 0xf7800000-0xf7bfffff,0xe0000000-0xefffffff irq 17 at device 2.0 on pci0
vgapci0: Boot video device
hdac0: <Intel Haswell HDA Controller> mem 0xf7d14000-0xf7d17fff irq 16 at device 3.0 on pci0
xhci0: <Intel Lynx Point USB 3.0 controller> mem 0xf7d00000-0xf7d0ffff irq 16 at device 20.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0: waiting for BIOS to give up control
xhci_interrupt: host controller halted
xhci0: Port routing mask set to 0xffffffff
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pci0: <simple comms> at device 22.0 (no driver attached)
ehci0: <Intel Lynx Point USB 2.0 controller USB-B> mem 0xf7d1c000-0xf7d1c3ff irq 16 at device 26.0 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0
hdac1: <Intel Lynx Point HDA Controller> mem 0xf7d10000-0xf7d13fff irq 22 at device 27.0 on pci0
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pcib1: [GIANT-LOCKED]
pcib2: <ACPI PCI-PCI bridge> irq 18 at device 28.2 on pci0
pci1: <ACPI PCI bus> on pcib2
re0: <Realtek PCIe GbE Family Controller> port 0xe000-0xe0ff mem 0xf7c00000-0xf7c00fff,0xf0000000-0xf0003fff irq 18 at device 0.0 on pci1
re0: Using Memory Mapping!
re0: Using 1 MSI-X message
re0: ASPM disabled
re0: version:1.96.04
re0: Ethernet address: 64:00:6a:09:c7:77
This product is covered by one or more of the following patents:
US6,570,884, US6,115,776, and US6,327,625.
re0: Ethernet address: 64:00:6a:09:c7:77
ehci1: <Intel Lynx Point USB 2.0 controller USB-A> mem 0xf7d1b000-0xf7d1b3ff irq 23 at device 29.0 on pci0
usbus2: EHCI version 1.0
usbus2 on ehci1
usbus2: 480Mbps High Speed USB v2.0
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
ahci0: <Intel Lynx Point AHCI SATA controller> port 0xf0b0-0xf0b7,0xf0a0-0xf0a3,0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xf7d1a000-0xf7d1a7ff irq 19 at device 31.2 on pci0
ahci0: AHCI v1.30 with 4 6Gbps ports, Port Multiplier not supported
ahcich0: <AHCI channel> at channel 0 on ahci0
ahciem0: <AHCI enclosure management bridge> on ahci0
acpi_button0: <Power Button> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_tz1: <Thermal Zone> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
orm0: <ISA Option ROM> at iomem 0xd0000-0xd0fff pnpid ORM0000 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
est0: <Enhanced SpeedStep Frequency Control> on cpu0
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Timecounters tick every 1.000 msec
hdacc0: <Intel Haswell HDA CODEC> at cad 0 on hdac0
hdaa0: <Intel Haswell Audio Function Group> at nid 1 on hdacc0
pcm0: <Intel Haswell (HDMI/DP 8ch)> at nid 3 on hdaa0
hdacc1: <Realtek ALC255 HDA CODEC> at cad 2 on hdac1
hdaa1: <Realtek ALC255 Audio Function Group> at nid 1 on hdacc1
pcm1: <Realtek ALC255 (Analog)> at nid 20 and 27 on hdaa1
pcm2: <Realtek ALC255 (Front Analog Headphones)> at nid 33 on hdaa1
ugen0.1: <0x8086 XHCI root HUB> at usbus0
ugen1.1: <Intel EHCI root HUB> at usbus1
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
ugen2.1: <Intel EHCI root HUB> at usbus2
uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
Trying to mount root from zfs:pfSense/ROOT/default []...
Root mount waiting for: usbus0 usbus1 usbus2 CAM
uhub2: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus2
uhub0: 17 ports with 17 removable, self powered
uhub1: 2 ports with 2 removable, self powered
Root mount waiting for:uhub2: usbus02 ports with 2 removable, self powered
usbus1 usbus2 CAM
ugen0.2: <Dell Dell USB Keyboard Hub> at usbus0
uhub3 on uhub0
uhub3: <Dell USB Keyboard Hub> on usbus0
ugen2.2: <vendor 0x8087 product 0x8000> at usbus2
uhub4 on uhub2
uhub4: <vendor 0x8087 product 0x8000, class 9/0, rev 2.00/0.04, addr 2> on usbus2
ugen1.2: <vendor 0x8087 product 0x8008> at usbus1
uhub5 on uhub1
uhub5: <vendor 0x8087 product 0x8008, class 9/0, rev 2.00/0.04, addr 2> on usbus1
uhub3: Root mount waiting for:3 ports with 2 removable, bus powered
usbus0 usbus1 usbus2 CAM
uhub5: 4 ports with 4 removable, self powered
uhub4: 6 ports with 6 removable, self powered
ugen0.3: <Dell Dell USB Keyboard> at usbus0
ukbd0 on uhub3
ukbd0: <Dell USB Keyboard> on usbus0
kbd2 at ukbd0
uhid0 on uhub3
uhid0: <Dell USB Keyboard> on usbus0
Root mount waiting for: usbus0 CAM
ugen0.4: <Bizlink Corp. DAD> at usbus0
axe0 on uhub0
axe0: <0> on usbus0
ugen0.5: <Realtek USB 10/100/1G/2.5G LAN> at usbus0
miibus0: <MII bus> on axe0
ukphy0: <Generic IEEE 802.3u media interface> PHY 16 on miibus0
ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
ue0: <USB Ethernet> on axe0
ue0: Ethernet address: 9c:eb:e8:0d:42:59
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
ses0 at ahciem0 bus 0 scbus1 target 0 lun 0
ses0: <AHCI SGPIO Enclosure 2.00 0001> SEMB S-E-S 2.00 device
ses0: SEMB SES Device
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <TOSHIBA MQ01ACF050 AV001D> ATA8-ACS SATA 3.x device
ada0: Serial Number 75KSTFZGT
ada0: 600.000MB/s transfers (SATA 3.x, UDMA5, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 476940MB (976773168 512 byte sectors)
ses0: pass0,ada0 in 'Slot 00', SATA Slot: scbus0 target 0
CPU: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz (1995.43-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x306c3 Family=0x6 Model=0x3c Stepping=3
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x7ffafbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
AMD Features2=0x21<LAHF,ABM>
Structured Extended Features=0x27ab<FSGSBASE,TSCADJ,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG>
Structured Extended Features3=0x9c000600<MCUOPT,MD_CLEAR,IBPB,STIBP,L1DFL,SSBD>
XSAVE Features=0x1<XSAVEOPT>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics

rearden27

@bmeeks
I verified that /usr/local/etc/suricata/suricata_54134_ue1/passlist contains 192.168.5.0/24 as you thought.

bmeeks

@steveits said in Suricata blocking networks in Pass List:

@bmeeks said in Suricata blocking networks in Pass List:

random issue within the binary code of Suricata

Has anyone reported this with Snort? If not that could be an option for OP.

(we've not seen this for any of our clients' instances, with either)

I don't really recall it being reported much at all with Snort. I think the few times something like that has been reported with Snort it turned out to be a user error (most often either failing to assign a custom list on the INTERFACE SETTINGS tab, or failing to restart Snort after changing the assignment).

The internals of the custom blocking plugin work the same way in both packages. The difference is in the native binary calls the plugin makes to check an IP pulled from an alert against those stored in a pass list.

In Snort, the custom plugin keeps its own linked list, and it calls a Snort utility function called sfip_contains() to see if a pass list entry covers the IP pulled from the alert.

In Suricata, the custom plugin uses the built-in Radix Tree functionality packaged with the Suricata binary. My suspicion is an obscure bug in that Radix Tree code. But it could also be something my custom blocking plugin is doing subtly wrong when using that built-in API. It gets back to the fact if I could reliably reproduce the bug, I could fix it.

bmeeks

@rearden27 said in Suricata blocking networks in Pass List:

I have created a custom Passlist and verified that it contains 192.168.5.0/24

I have restarted Suricata.

I will wait and see if blocks any LAN addreses.

Here is the OS boot log. I did have to modify the script to get the usb to automatically find the usb.
<earlyshellcmd>usbconfig -d 0.5 set_config 1</earlyshellcmd>
and you can see the:
ugen0.5: <Realtek USB 10/100/1G/2.5G LAN> at usbus0
in the log.

On the dashboard Interfaces there is an oddity, in that it does not report 1000baseT <full-duplex>. It is just blank for the LAN interface.
WAN 1000baseT <full-duplex> 67.191.rem.ove
2001:558:6011:4a:a036:3f37:remo:vedd

LAN 192.168.5.1
2601:cc:c100:e96:8eae:4cff:fedd:17b0

OPT1 100baseTX <full-duplex> 192.168.5.244

Copyright (c) 1992-2020 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense amd64
FreeBSD clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
VT(vga): resolution 640x480
CPU: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz (1995.43-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x306c3 Family=0x6 Model=0x3c Stepping=3
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x7ffafbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
AMD Features2=0x21<LAHF,ABM>
Structured Extended Features=0x27ab<FSGSBASE,TSCADJ,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG>
XSAVE Features=0x1<XSAVEOPT>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics
real memory = 17179869184 (16384 MB)
avail memory = 16518086656 (15752 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <DELL CBX3 >
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
Launching APs: 1 2 3
Timecounter "TSC" frequency 1995425748 Hz quality 1000
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xffffffff8073dd40, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xffffffff8073ddf0, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xffffffff8073dea0, 0) error 1
iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff80765730, 0) error 1
iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff807657e0, 0) error 1
iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80765890, 0) error 1
wlan: mac acl policy registered
random: entropy device external interface
module_register_init: MOD_LOAD (vesa, 0xffffffff8140c3e0, 0) error 19
kbd1 at kbdmux0
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
[ath_hal] loaded
000.000056 [4336] netmap_init netmap: loaded module
mlx5en: Mellanox Ethernet driver 3.5.2 (September 2019)
nexus0
vtvga0: <VT VGA driver> on motherboard
cryptosoft0: <software crypto> on motherboard
padlock0: No ACE support.
acpi0: <DELL CBX3 > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 550
Event timer "HPET1" frequency 14318180 Hz quality 440
Event timer "HPET2" frequency 14318180 Hz quality 440
Event timer "HPET3" frequency 14318180 Hz quality 440
Event timer "HPET4" frequency 14318180 Hz quality 440
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0xf000-0xf03f mem 0xf7800000-0xf7bfffff,0xe0000000-0xefffffff irq 17 at device 2.0 on pci0
vgapci0: Boot video device
hdac0: <Intel Haswell HDA Controller> mem 0xf7d14000-0xf7d17fff irq 16 at device 3.0 on pci0
xhci0: <Intel Lynx Point USB 3.0 controller> mem 0xf7d00000-0xf7d0ffff irq 16 at device 20.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0: waiting for BIOS to give up control
xhci_interrupt: host controller halted
xhci0: Port routing mask set to 0xffffffff
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pci0: <simple comms> at device 22.0 (no driver attached)
ehci0: <Intel Lynx Point USB 2.0 controller USB-B> mem 0xf7d1c000-0xf7d1c3ff irq 16 at device 26.0 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0
hdac1: <Intel Lynx Point HDA Controller> mem 0xf7d10000-0xf7d13fff irq 22 at device 27.0 on pci0
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pcib1: [GIANT-LOCKED]
pcib2: <ACPI PCI-PCI bridge> irq 18 at device 28.2 on pci0
pci1: <ACPI PCI bus> on pcib2
re0: <Realtek PCIe GbE Family Controller> port 0xe000-0xe0ff mem 0xf7c00000-0xf7c00fff,0xf0000000-0xf0003fff irq 18 at device 0.0 on pci1
re0: Using Memory Mapping!
re0: Using 1 MSI-X message
re0: ASPM disabled
re0: version:1.96.04
re0: Ethernet address: 64:00:6a:09:c7:77
This product is covered by one or more of the following patents:
US6,570,884, US6,115,776, and US6,327,625.
re0: Ethernet address: 64:00:6a:09:c7:77
ehci1: <Intel Lynx Point USB 2.0 controller USB-A> mem 0xf7d1b000-0xf7d1b3ff irq 23 at device 29.0 on pci0
usbus2: EHCI version 1.0
usbus2 on ehci1
usbus2: 480Mbps High Speed USB v2.0
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
ahci0: <Intel Lynx Point AHCI SATA controller> port 0xf0b0-0xf0b7,0xf0a0-0xf0a3,0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xf7d1a000-0xf7d1a7ff irq 19 at device 31.2 on pci0
ahci0: AHCI v1.30 with 4 6Gbps ports, Port Multiplier not supported
ahcich0: <AHCI channel> at channel 0 on ahci0
ahciem0: <AHCI enclosure management bridge> on ahci0
acpi_button0: <Power Button> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_tz1: <Thermal Zone> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
orm0: <ISA Option ROM> at iomem 0xd0000-0xd0fff pnpid ORM0000 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
est0: <Enhanced SpeedStep Frequency Control> on cpu0
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Timecounters tick every 1.000 msec
hdacc0: <Intel Haswell HDA CODEC> at cad 0 on hdac0
hdaa0: <Intel Haswell Audio Function Group> at nid 1 on hdacc0
pcm0: <Intel Haswell (HDMI/DP 8ch)> at nid 3 on hdaa0
hdacc1: <Realtek ALC255 HDA CODEC> at cad 2 on hdac1
hdaa1: <Realtek ALC255 Audio Function Group> at nid 1 on hdacc1
pcm1: <Realtek ALC255 (Analog)> at nid 20 and 27 on hdaa1
pcm2: <Realtek ALC255 (Front Analog Headphones)> at nid 33 on hdaa1
ugen0.1: <0x8086 XHCI root HUB> at usbus0
ugen1.1: <Intel EHCI root HUB> at usbus1
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
ugen2.1: <Intel EHCI root HUB> at usbus2
uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
Trying to mount root from zfs:pfSense/ROOT/default []...
Root mount waiting for: usbus0 usbus1 usbus2 CAM
uhub2: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus2
uhub0: 17 ports with 17 removable, self powered
uhub1: 2 ports with 2 removable, self powered
Root mount waiting for:uhub2: usbus02 ports with 2 removable, self powered
usbus1 usbus2 CAM
ugen0.2: <Dell Dell USB Keyboard Hub> at usbus0
uhub3 on uhub0
uhub3: <Dell USB Keyboard Hub> on usbus0
ugen2.2: <vendor 0x8087 product 0x8000> at usbus2
uhub4 on uhub2
uhub4: <vendor 0x8087 product 0x8000, class 9/0, rev 2.00/0.04, addr 2> on usbus2
ugen1.2: <vendor 0x8087 product 0x8008> at usbus1
uhub5 on uhub1
uhub5: <vendor 0x8087 product 0x8008, class 9/0, rev 2.00/0.04, addr 2> on usbus1
uhub3: Root mount waiting for:3 ports with 2 removable, bus powered
usbus0 usbus1 usbus2 CAM
uhub5: 4 ports with 4 removable, self powered
uhub4: 6 ports with 6 removable, self powered
ugen0.3: <Dell Dell USB Keyboard> at usbus0
ukbd0 on uhub3
ukbd0: <Dell USB Keyboard> on usbus0
kbd2 at ukbd0
uhid0 on uhub3
uhid0: <Dell USB Keyboard> on usbus0
Root mount waiting for: usbus0 CAM
ugen0.4: <Bizlink Corp. DAD> at usbus0
axe0 on uhub0
axe0: <0> on usbus0
ugen0.5: <Realtek USB 10/100/1G/2.5G LAN> at usbus0
miibus0: <MII bus> on axe0
ukphy0: <Generic IEEE 802.3u media interface> PHY 16 on miibus0
ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
ue0: <USB Ethernet> on axe0
ue0: Ethernet address: 9c:eb:e8:0d:42:59
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
ses0 at ahciem0 bus 0 scbus1 target 0 lun 0
ses0: <AHCI SGPIO Enclosure 2.00 0001> SEMB S-E-S 2.00 device
ses0: SEMB SES Device
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <TOSHIBA MQ01ACF050 AV001D> ATA8-ACS SATA 3.x device
ada0: Serial Number 75KSTFZGT
ada0: 600.000MB/s transfers (SATA 3.x, UDMA5, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 476940MB (976773168 512 byte sectors)
ses0: pass0,ada0 in 'Slot 00', SATA Slot: scbus0 target 0
CPU: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz (1995.43-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x306c3 Family=0x6 Model=0x3c Stepping=3
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x7ffafbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
AMD Features2=0x21<LAHF,ABM>
Structured Extended Features=0x27ab<FSGSBASE,TSCADJ,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG>
Structured Extended Features3=0x9c000600<MCUOPT,MD_CLEAR,IBPB,STIBP,L1DFL,SSBD>
XSAVE Features=0x1<XSAVEOPT>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics

Realtek NICs are problematic at times in FreeBSD, and a USB Realtek would likely be doubly so. In a sense, you are lucky it works at all.

However, the type of NIC is not the issue here at all. It is something peculiar within the Suricata binary code that seems to get triggered in rare circumstances. So far, I've been unsuccessful in identifying how to reliably trigger the bug. And therefore, fixing it has been an impossible task.

rearden27

@bmeeks Thank you for looking at this. I appreciate it.
The Realtek's have been squirrelly. But I have not been able to find a solution to my lack of expansion ports and no intel usb3 nics.