Suricata breaks when I lose internet from ISP.
-
Lately, when my internet goes out it crashes Suricata. When the internet comes back I am unable to start Suricata and have to reinstall the package. When Suricata is down none of my devices can connect to the internet. Any ideas on how I can correct this? This is with the latest Pfsense and Suricata version installed on a Dell R210ii with an Intel NIC at a home.
-
@twennywonn said in Suricata breaks when I lose internet from ISP.:
Lately, when my internet goes out it crashes Suricata. When the internet comes back I am unable to start Suricata and have to reinstall the package. When Suricata is down none of my devices can connect to the internet. Any ideas on how I can correct this? This is with the latest Pfsense and Suricata version installed on a Dell R210ii with an Intel NIC at a home.
Do you have Suricata on WAN or LAN? Sounds as if you need a UPS! When the Internet is back up, why didn't you just restart Suricata services instead of reinstalling the package? Are you using UFS or ZFS? Does the Internet goes down frequently?
-
Good questions
- I have it on WAN and LAN but only blocking is enabled on WAN
- The system is on a UPS its not losing power. Im losing internet from the ISP.
- Suricata will show its not running and restarting it does not work, it tries but fails.
- ZFS
- Not really but twice this month. Both times I was home and if I wasn't it would really suck because my wife would not be able to figure it out and my home is hyper-connected.
-
What errors show in either the pfSense system log or the
suricata.log
file for the interface that won't restart? To see thesuricata.log
, go to the LOGS VIEW tab and choose the interface and log file to view.It's possible that the interface failing (when the ISP drops your Internet) is causing Suricata to crash. That can leave a stale PID file in
/var/run
that you would need to delete. If this is the case, Suricata will log a message in thesuricata.log
file for the interface complaining about the stale PID file.Which blocking mode are you using? Legacy or Inline?
-
It ended up happening again so I just uninstalled Suricata and left it uninstalled. Will I still have access to those logs? I do want to run Suricata on my network and have with perfect stability for more than a year. The blocking mode I used was legacy. I do have an Intel I350-T4 so I believe its compatible with inline blocking. I am also running PfblockerNG Devel but I am not sure if thats important info or not.
-
@twennywonn I don't understand your reply because you have not followed the solution Bill gave you; yet, you came back to report it happened again.
Here is the solution AGAIN...That can leave a stale PID file in /var/run that you would need to delete.
-
And I forgot to also ask -- is your WAN interface perhaps a PPPoE interface? Suricata has always been a little finicky with PPPoE interfaces on FreeBSD. In fact, for the first couple of versions a PPPoE interface in FreeBSD would not work at all in Suricata. This is/was an upstream issue and not something specific to just the pfSense package.
If your interface is PPPoE, it might be that when the connection fails FreeBSD is tearing down the internal plumbing and that is confusing Suricata (or more aptly, libpcap when using Legacy Mode blocking).
-
I’m not sure you’re great at reading. He mentioned that could be the issue depending on what the logs say. I mentioned I didn’t know if I have access to those logs as I have uninstalled Suricata entirely.
To answer the other question I do not have PPPoE. I will reinstall tonight and simulate and internet loss. Then if Suricata fails I’ll let you know what the logs indicate.
-
@twennywonn said in Suricata breaks when I lose internet from ISP.:
I’m not sure your great at reading.
That's not called for...I have had a similar incident with Suricata where it crashed and would not restart because of the stale PID file in /var/run. Had you visited /var/run when it again happened you would have seen it...but instead you completely removed the package. Also, it surely seems that you lose the Internet frequently!
-
@twennywonn said in Suricata breaks when I lose internet from ISP.:
I’m not sure you’re great at reading. He mentioned that could be the issue depending on what the logs say. I mentioned I didn’t know if I have access to those logs as I have uninstalled Suricata entirely.
To answer the other question I do not have PPPoE. I will reinstall tonight and simulate and internet loss. Then if Suricata fails I’ll let you know what the logs indicate.
The logs are likely still there unless you specifically checked "Remove Logs when Uninstalling" under the GLOBAL SETTINGS tab. The PID file would automatically get removed, though, when removing the package.
To see the logs without Suricata being installed you will need to use the DIAGNOSTICS > EDIT function in pfSense and browse to
/var/log/suricata/suricata_xxxxx
where that last bit is a sub-directory created for each configured Suricata interface. The subdirectory name will be the physical interface along with a randomly-generated UUID.If you install the Suricata package again, the
suricata.log
from the previous install will get overwritten when Suricata is started. That file is overwritten with each start of Suricata on the interface.I don't recall anyone else ever posting with this particular issue. It seems strange for loss of Internet connectivity to crash Suricata. The only other possibility is if your interface is rapidly cycling and as a result Suricata is getting sent multiple "restart all packages" commands in quick succession. When interfaces come up, pfSense will issue an internal "restart all packages" command which attempts to restart all the installed packages. If that happens multiple times in quick succession, you could wind up with multiple copies of Suricata all attempting to start at the same time on a single interface.