Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 4.1.X interface stopping [Sorted by going back to Snort]

    Scheduled Pinned Locked Moved IDS/IPS
    14 Posts 2 Posters 976 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      r43K9o
      last edited by r43K9o

      I have moved pfSense from Virtual apliance to HW, did clean install and imported settings. Previously I did use snort but I want to setup suricata, so I did.

      I have 6 interafces that surricata is running on, 2 WAN connections and rest is LAN and WIFI. Only the WAN interfaces are curently configured to block trafic. Everything is working fine except my main LAN interface which will just randomly stop enywhere between 2-12 hours and cannot be started again until Suricata is restarted (or pid file deleted, see below).

      There are no obvious errors why surricata stopped (in my opinion, errors are only related to signatures).
      Last entries for suricata.log on LAN between rule reloads:

      ...
10/1/2020 -- 09:44:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34018
10/1/2020 -- 09:44:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
10/1/2020 -- 09:44:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34019
10/1/2020 -- 09:44:19 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
10/1/2020 -- 09:44:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34145
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34171
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34172
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34661
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34802
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 34945
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
10/1/2020 -- 09:44:20 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_20029_bge0/rules/suricata.rules at line 35044
10/1/2020 -- 09:44:21 - <Info> -- 2 rule files processed. 35960 rules successfully loaded, 84 rules failed
10/1/2020 -- 09:44:21 - <Info> -- Threshold config parsed: 31 rule(s) found
10/1/2020 -- 09:44:23 - <Info> -- 35964 signatures processed. 1081 are IP-only rules, 6498 are inspecting packet payload, 22560 inspect application layer, 103 are decoder event only
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf|file.ole' is checked but not set. Checked in 25676 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg|file.tiff' is checked but not set. Checked in 25346 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg|file.xps' is checked but not set. Checked in 41202 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar|file.class|file.ttf' is checked but not set. Checked in 24701 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.class|file.jar' is checked but not set. Checked in 31540 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.tiff|file.doc' is checked but not set. Checked in 28464 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf|file.ole' is checked but not set. Checked in 37559 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.docx' is checked but not set. Checked in 45370 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ole|file.doc' is checked but not set. Checked in 30533 and 3 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.corel|file.doc' is checked but not set. Checked in 36500 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.rtf' is checked but not set. Checked in 45519 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.xls' is checked but not set. Checked in 44559 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pyc|file.zip' is checked but not set. Checked in 45477 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.docm' is checked but not set. Checked in 43975 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
10/1/2020 -- 09:44:23 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.docm|file.docx|file.ppsx|file.pptx|file.xlsx' is checked but not set. Checked in 26066 and 1 other sigs
10/1/2020 -- 09:44:43 - <Info> -- cleaning up signature grouping structure... complete
10/1/2020 -- 09:44:43 - <Notice> -- rule reload complete

      It seams that after some of the reloads interface just refuses to start again. If I try to start it again it gives me:

      10/1/2020 -- 10:59:33 - <Notice> -- This is Suricata version 4.1.6 RELEASE
10/1/2020 -- 10:59:33 - <Info> -- CPUs/cores online: 4
10/1/2020 -- 10:59:33 - <Info> -- HTTP memcap: 67108864
10/1/2020 -- 10:59:34 - <Notice> -- using flow hash instead of active packets
10/1/2020 -- 10:59:34 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_bge020029.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_bge020029.pid. Aborting!

      Of course if I delete the pid file (or restart Suricata), it will start again but it also will "crash" again in few hours.

      I tried checksum offloading both enabled and disabled and because I have a lot of RAM in this system I assigned a lot of it to Stream Memory Cap: 805306400 just to be shure that it is not a cause.

      I originally setup suricata v 4.1.5 and updated this morning to 4.1.6 so problem is not related to latest or previous version in my case.

      What steps would you recomend to take or which logs could shine some light onto this problem?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Look in the pfSense system log to see what errors might be getting logged there. The fact you have a leftover, or "stale", PID file indicates the Suricata binary is crashing hard and not cleaning up behind itself. Look in the pfSense log for any messages related to Suricata around the time the interface does down.

        What kind of hardware platform are you running pfSense on now? Is it Intel/AMD64 or ARM?

        Those rule parsing errors are expected when you run the Snort Subscriber Rules with Suricata. Snort has a number of rule options and keywords that Suricata does not support. However, those parsing errors are not the cause of Suricata stopping. When Suricata does not understand a rule, it logs an error and just skips loading that rule completely.

        Post back with anything you find in the pfSense system log.

        From the log entry showing the rules parsing errors, it appears Suricata might be crashing during the live reload process (if you have that enabled). You could try turning that off if enabled. Also make sure you DO NOT have the Service Watchdog package configured to monitor Suricata. That will cause crashes because Service Watchdog does not understand how to correctly monitor Suricata or Snort.

        1 Reply Last reply Reply Quote 0
        • R
          r43K9o
          last edited by r43K9o

          Live reload is disabled and I do not use Service Watchdog

          Should I be looking at "System -> General" under logs?

          Only mention of Suricata there is: (LAN = bge0)

          Jan 10 13:58:37	SuricataStartup	45038	Suricata START for LAN(20029_bge0)...
Jan 10 13:56:36	SuricataStartup	29563	Suricata START for LAN(20029_bge0)...
Jan 10 12:58:56	SuricataStartup	31927	Suricata START for LAN(20029_bge0)...
Jan 10 08:31:49	SuricataStartup	98333	Suricata START for WAN2(2355_igb1)...
Jan 10 08:31:48	SuricataStartup	96262	Suricata START for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:31:46	SuricataStartup	94669	Suricata START for WIFI-EMP(54693_bge1.102)...
Jan 10 08:31:45	SuricataStartup	93549	Suricata START for WIFI(21461_bge1)...
Jan 10 08:31:44	SuricataStartup	91898	Suricata START for LAN(20029_bge0)...
Jan 10 08:31:42	SuricataStartup	37751	Suricata START for WAN1(24374_igb0)...
Jan 10 08:29:20	SuricataStartup	50897	Suricata STOP for WAN2(2355_igb1)...
Jan 10 08:29:18	SuricataStartup	47441	Suricata STOP for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:29:16	SuricataStartup	42601	Suricata STOP for WIFI-EMP(54693_bge1.102)...
Jan 10 08:29:13	SuricataStartup	36724	Suricata STOP for WIFI(21461_bge1)...
Jan 10 08:29:10	SuricataStartup	18941	Suricata STOP for LAN(20029_bge0)...
Jan 10 08:29:08	SuricataStartup	14207	Suricata STOP for WAN1(24374_igb0)...
Jan 10 08:17:06	SuricataStartup	16942	Suricata START for WAN2(2355_igb1)...
Jan 10 08:17:04	SuricataStartup	4625	Suricata START for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:17:02	SuricataStartup	95564	Suricata START for WIFI-EMP(54693_bge1.102)...
Jan 10 08:17:01	SuricataStartup	85993	Suricata START for WIFI(21461_bge1)...
Jan 10 08:16:59	SuricataStartup	79421	Suricata START for LAN(20029_bge0)...
Jan 10 08:16:58	SuricataStartup	77445	Suricata START for WAN1(24374_igb0)...
Jan 10 08:16:56	SuricataStartup	66239	Suricata STOP for WAN2(2355_igb1)...
Jan 10 08:16:54	SuricataStartup	56979	Suricata STOP for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:16:52	SuricataStartup	50785	Suricata STOP for WIFI-EMP(54693_bge1.102)...
Jan 10 08:16:49	SuricataStartup	36495	Suricata STOP for WIFI(21461_bge1)...
Jan 10 08:16:48	SuricataStartup	31261	Suricata STOP for LAN(20029_bge0)...
Jan 10 08:16:46	SuricataStartup	19439	Suricata STOP for WAN1(24374_igb0)...

          System is Intel/AMD64 on AMD Opteron(tm) X3418 APU With 8 GB of RAM

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @r43K9o
            last edited by bmeeks

            @r43K9o said in Suricata 4.1.X interface stopping:

            Live reload is disabled and I do not use Service Watchdog

            Should I be looking at "System -> General" under logs?

            Only mention of Suricata there is: (LAN = bge0)

            Jan 10 13:58:37	SuricataStartup	45038	Suricata START for LAN(20029_bge0)...
Jan 10 13:56:36	SuricataStartup	29563	Suricata START for LAN(20029_bge0)...
Jan 10 12:58:56	SuricataStartup	31927	Suricata START for LAN(20029_bge0)...
Jan 10 08:31:49	SuricataStartup	98333	Suricata START for WAN2(2355_igb1)...
Jan 10 08:31:48	SuricataStartup	96262	Suricata START for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:31:46	SuricataStartup	94669	Suricata START for WIFI-EMP(54693_bge1.102)...
Jan 10 08:31:45	SuricataStartup	93549	Suricata START for WIFI(21461_bge1)...
Jan 10 08:31:44	SuricataStartup	91898	Suricata START for LAN(20029_bge0)...
Jan 10 08:31:42	SuricataStartup	37751	Suricata START for WAN1(24374_igb0)...
Jan 10 08:29:20	SuricataStartup	50897	Suricata STOP for WAN2(2355_igb1)...
Jan 10 08:29:18	SuricataStartup	47441	Suricata STOP for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:29:16	SuricataStartup	42601	Suricata STOP for WIFI-EMP(54693_bge1.102)...
Jan 10 08:29:13	SuricataStartup	36724	Suricata STOP for WIFI(21461_bge1)...
Jan 10 08:29:10	SuricataStartup	18941	Suricata STOP for LAN(20029_bge0)...
Jan 10 08:29:08	SuricataStartup	14207	Suricata STOP for WAN1(24374_igb0)...
Jan 10 08:17:06	SuricataStartup	16942	Suricata START for WAN2(2355_igb1)...
Jan 10 08:17:04	SuricataStartup	4625	Suricata START for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:17:02	SuricataStartup	95564	Suricata START for WIFI-EMP(54693_bge1.102)...
Jan 10 08:17:01	SuricataStartup	85993	Suricata START for WIFI(21461_bge1)...
Jan 10 08:16:59	SuricataStartup	79421	Suricata START for LAN(20029_bge0)...
Jan 10 08:16:58	SuricataStartup	77445	Suricata START for WAN1(24374_igb0)...
Jan 10 08:16:56	SuricataStartup	66239	Suricata STOP for WAN2(2355_igb1)...
Jan 10 08:16:54	SuricataStartup	56979	Suricata STOP for WIFI-GUEST(59582_bge1.101)...
Jan 10 08:16:52	SuricataStartup	50785	Suricata STOP for WIFI-EMP(54693_bge1.102)...
Jan 10 08:16:49	SuricataStartup	36495	Suricata STOP for WIFI(21461_bge1)...
Jan 10 08:16:48	SuricataStartup	31261	Suricata STOP for LAN(20029_bge0)...
Jan 10 08:16:46	SuricataStartup	19439	Suricata STOP for WAN1(24374_igb0)...

            System is Intel/AMD64 on AMD Opteron(tm) X3418 APU With 8 GB of RAM

            Yes, you are looking at the correct system log, but you might need to let Suricata run until it crashes and then check the system log immediately so that any logged event does not get "rolled off" due to the way clog on pfSense only keeps the most current events.

            Another question would be why are your interfaces restarting so often? Suricata generally only should look for rules updates at most twice per day. And really once per day is sufficient. Do you have interfaces flapping, or is something on your pfSense box causing it to issue the "restart all packages" command often?

            Also scour the system log for any "out of memory" events. That many interfaces with only 8 GB might be a stretch depending on the number of enabled rules. During a rule update/swap, Suricata will briefly need almost double the amount of normal RAM because it has to keep the old and new versions of the rules in memory at the same time.

            R 1 Reply Last reply Reply Quote 0
            • R
              r43K9o @bmeeks
              last edited by r43K9o

              @bmeeks Ok, sorry I'm dumb process is running under PHP... This is everything what happened from update... As far as i know interface monitoring "crashed once during that time"

              (I had to upload it as a file because othervise it was flaget as spam for some reason)

              suricata log.txt

              Suricata was restarted once in the morning because LAN interface monitoring was down and then shortly after I upgraded to 4.6.1 which I assume causes restart.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @r43K9o
                last edited by bmeeks

                @r43K9o said in Suricata 4.1.X interface stopping:

                @bmeeks Ok, sorry I'm dumb process is running under PHP... This is everything what happened from update... As far as i know interface monitoring "crashed once during that time"

                (I had to upload it as a file because othervise it was flaget as spam for some reason)

                suricata log.txt

                Suricata was restarted once in the morning because LAN interface monitoring was down and then shortly after I upgraded to 4.6.1 which I assume causes restart.

                Your LAN interface is the one crashing. Here is the log entry:

                Jan 10 10:12:41	kernel		pid 92275 (suricata), uid 0: exited on signal 11 (core dumped)

                And when that interface instance crashes, it will leave its PID file in /var/run/ and thus you get the subsequent startup error about a stale PID file.

                Why it crashed is not logged (and thus not known). Very well could be a rule that is causing it. The Suricata binary has had issues from time to time with buggy code because they maintain a fairly rapid update/release schedule as compared to Snort. So bugs come and go with new versions of the binary.

                I would disable all of the LAN rules temporarily and then start adding them back one category at the time to see if you can pinpoint which rule category might be causing the issue. For now, a rule problem would be my first guess as to what's happening.

                R 1 Reply Last reply Reply Quote 0
                • R
                  r43K9o @bmeeks
                  last edited by

                  @bmeeks Ok, thank you for your time I will have a look. I did apply Security IPS Policy so there is quite few rules even thou I disabled few of them already.

                  I would just like to ask one question that came to my mind after your respnse. Is it possible that surricata could kill the interface in some way that it woulnd not manage to come up again?
                  It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic. I doubt that it is HW problem because I have Intel NICs but who knows, in the worst case I will go back to snort which I have a good long experince with...

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @r43K9o
                    last edited by bmeeks

                    @r43K9o said in Suricata 4.1.X interface stopping:

                    @bmeeks Ok, thank you for your time I will have a look. I did apply Security IPS Policy so there is quite few rules even thou I disabled few of them already.

                    I would just like to ask one question that came to my mind after your respnse. Is it possible that surricata could kill the interface in some way that it woulnd not manage to come up again?
                    It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic. I doubt that it is HW problem because I have Intel NICs but who knows, in the worst case I will go back to snort which I have a good long experince with...

                    Not likely unless you are trying to use the Inline IPS Mode. That mode uses netmap, and there are quite a number of NIC drivers that do not work well at all with the netmap device module. That's a FreeBSD issue and not a direct Suricata issue. I see that your LAN and WIFI links appear to be Broadcom NICs. That brand does not work with netmap mode very well.

                    The default blocking mode is Legacy Blocking Mode. That mode uses libpcap, which should not cause an issue with any NIC driver.

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      r43K9o @bmeeks
                      last edited by

                      @bmeeks Yes I use Legacy mode, newer touch the Inline IPS Mode... Thank you.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @r43K9o
                        last edited by bmeeks

                        @r43K9o said in Suricata 4.1.X interface stopping:

                        @bmeeks It happened to me twice already (on one of the WAN interface) That it just lost a link and until I restarted the whole system - it just refused to accept any trafic.

                        You could have some kind of hardware issue on the box. You said you migrated from a virtual appliance to actual hardware. Did all the NIC drivers get updated in config.xml? Did you start fresh or did you import the old configuration from the VM? Something may need changing if you imported from virtual hardware onto actual hardware.

                        Certainly won't hurt anything to try Snort, though. If you do, report back on the results.

                        Edit: read your original post again after posting this reply and see that one of my questions was already answered.

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          r43K9o @bmeeks
                          last edited by r43K9o

                          @bmeeks HW is based on HPE ProLiant MicroServer Gen10
                          Onboard NICs used for local network are Broadcom 5720 which should use driver bge and intel NICs are Intel® 82 576 which are igb so I assume that drivers are correct.

                          System sees about 45% CPU usage at peeks and it uses about 30 % of 8GB RAM...

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            Do the instances of stopped traffic flow happen with Suricata disabled? You need to start some systematic troubleshooting by elminating variables and then slowly adding them back one-by-one to see what might be the cause.

                            Eliminating all packages would be the first option. Let the system run as a basic firewall and see how stable it is. Then starting adding packages back. When you get to Suricata, just activate one interface at a time. Let each one run for some period of time (maybe hours or even a day or two) to see how stable the firewall is.

                            R 1 Reply Last reply Reply Quote 0
                            • R
                              r43K9o @bmeeks
                              last edited by

                              @bmeeks I started to discus the crashing link with IS provider because it was quite weird state, both machines were sending packets but neither of them received anything. so we changed some cables did some config checks but neither of us could find anything wrong with either device because both machines worked quite happily with other HW but not with each other, everything went quiet after I noticed that in ARP table the link/mac address of gateway on WAN expired randomly which of course was followed by lost connection so I set the mac address of the gateway as permanent and the problem did not repeat since. I will wait for another week or so to confirm that this fixes the problem before I inform the ISP. But I know that he uses that gateway for large number of other customers, without problem so I doubt that he will be able to help me with anything.
                              I disabled Suricata and installed snort and I will be adding functionality slowly back.

                              1 Reply Last reply Reply Quote 0
                              • R
                                r43K9o
                                last edited by

                                Ok, so after 5 days of running snort with same rulset as suricata without single problem I would say that suricata was a problem. So I will keep using snort as stability is more important for me.
                                Thank you for help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.