suricata update killing WAN interface



  • Hello Everyone,

    I am running pfSense 2.4.4-RELEASE-p3 (amd64) with suricata VERSION 4.1.5_2. I had set suricata to update rules every 12 hours at the default time of 00:30. Each time suricata updates it's rule set, it sets the interface down and then it comes up after 15-20 seconds. As I am running suricata on the WAN interface, internet goes down till the time WAN comes back up again.

    It happens twice in a day as the update interval is 12 hrs.

    As a workaround, I have changed the update interval to 1 Day and set the time to 05:30, when traffic is very less.

    There is also an option to Live reload rules, mine is still unchecked. This might resolve the issue, but not sure what other implications it might bring.

    Logs:

    Nov 26 00:30:10 pfSense php-cgi: [Suricata] ERROR: Rules download error: Operation timed out after 10003 milliseconds with 0 out of 0 bytes received
    Nov 26 00:30:10 pfSense php-cgi: [Suricata] Will retry the download in 15 seconds...
    Nov 26 00:30:27 pfSense php-cgi: File 'emerging.rules.tar.gz.md5' download attempts: 2 ...
    Nov 26 00:30:27 pfSense php-cgi: [Suricata] Emerging Threats Open rules are up to date...
    Nov 26 00:30:27 pfSense php-cgi: [Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Nov 26 00:30:35 pfSense php-cgi: [Suricata] Snort GPLv2 Community Rules file update downloaded successfully.
    Nov 26 00:30:36 pfSense php-cgi: [Suricata] Updating rules configuration for: BLAZENET_ISP_1 ...
    Nov 26 00:30:37 pfSense php-cgi: [Suricata] Building new sid-msg.map file for BLAZENET_ISP_1...
    Nov 26 00:30:37 pfSense SuricataStartup69633: Suricata STOP for BLAZENET_ISP_1_WAN(27120_em0)...
    Nov 26 00:30:38 pfSense kernel: em0: link state changed to DOWN
    Nov 26 00:30:38 pfSense check_reload_status: Linkup starting em0
    Nov 26 00:30:39 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
    Nov 26 00:30:39 pfSense check_reload_status: Reloading filter
    Nov 26 00:30:39 pfSense php-cgi: [Suricata] Suricata has restarted with your new set of rules...
    Nov 26 00:30:39 pfSense php-cgi: [Suricata] The Rules update has finished.
    Nov 26 00:30:39 pfSense SuricataStartup76330: Suricata START for BLAZENET_ISP_1_WAN(27120_em0)...

    Nov 26 00:30:54 pfSense check_reload_status: Linkup starting em0
    Nov 26 00:30:54 pfSense kernel: em0: link state changed to UP
    Nov 26 00:30:55 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
    Nov 26 00:30:55 pfSense check_reload_status: rc.newwanip starting em0
    Nov 26 00:30:55 pfSense check_reload_status: Reloading filter
    Nov 26 00:30:56 pfSense php-fpm: /rc.newwanip: rc.newwanip: Info: starting on em0.
    Nov 26 00:30:56 pfSense php-fpm: /rc.newwanip: rc.newwanip: on (IP address: X.X.X.X) (interface: BLAZENET_ISP_1[wan]) (real interface: em0).
    Nov 26 00:30:56 pfSense check_reload_status: Reloading filter

    Nov 26 06:00:00 pfSense php-cgi: [Suricata] Checking for updated MaxMind GeoLite2 IP database file...
    Nov 26 06:00:01 pfSense php-cgi: [Suricata] GeoLite2-Country IP database is up-to-date.
    Nov 26 06:00:01 pfSense php-cgi: [Suricata] GeoLite2-Country database update check finished.
    Nov 26 12:30:07 pfSense php-cgi: [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    Nov 26 12:30:19 pfSense php-cgi: [Suricata] Emerging Threats Open rules file update downloaded successfully.
    Nov 26 12:30:20 pfSense php-cgi: [Suricata] Snort GPLv2 Community Rules are up to date...
    Nov 26 12:30:22 pfSense php-cgi: [Suricata] Updating rules configuration for: BLAZENET_ISP_1 ...
    Nov 26 12:30:23 pfSense php-cgi: [Suricata] Building new sid-msg.map file for BLAZENET_ISP_1...
    Nov 26 12:30:23 pfSense SuricataStartup32425: Suricata STOP for BLAZENET_ISP_1_WAN(27120_em0)...
    Nov 26 12:30:25 pfSense kernel: em0: link state changed to DOWN
    Nov 26 12:30:25 pfSense check_reload_status: Linkup starting em0
    Nov 26 12:30:26 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
    Nov 26 12:30:26 pfSense check_reload_status: Reloading filter
    Nov 26 12:30:26 pfSense php-cgi: [Suricata] Suricata has restarted with your new set of rules...
    Nov 26 12:30:26 pfSense php-cgi: [Suricata] The Rules update has finished.
    Nov 26 12:30:26 pfSense SuricataStartup36834: Suricata START for BLAZENET_ISP_1_WAN(27120_em0)...
    Nov 26 12:30:26 pfSense check_reload_status: Syncing firewall

    Nov 26 12:30:44 pfSense check_reload_status: Linkup starting em0
    Nov 26 12:30:44 pfSense kernel: em0: link state changed to UP
    Nov 26 12:30:45 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
    Nov 26 12:30:45 pfSense check_reload_status: rc.newwanip starting em0
    Nov 26 12:30:45 pfSense check_reload_status: Reloading filter
    Nov 26 12:30:46 pfSense php-fpm: /rc.newwanip: rc.newwanip: Info: starting on em0.
    Nov 26 12:30:46 pfSense php-fpm: /rc.newwanip: rc.newwanip: on (IP address: X.X.X.X) (interface: BLAZENET_ISP_1[wan]) (real interface: em0).
    Nov 26 12:30:46 pfSense check_reload_status: Reloading filter


  • LAYER 8

    afaik live update just need more memory available for the process, if you have enought just use live update.
    i have it set to live update without any problem



  • How about an Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 4 cores and 4 GB of RAM.

    Out of the 4 GB of RAM, the system utilisation is around 25-27%.

    Is this sufficient enough?


  • LAYER 8

    yes, of course


Log in to reply