Local hosts added in snort2c table, despite Suricata being turned off
-
Hello all,
I'm not really sure where to check anymore, so I'm hoping you guys can give me a hand here.
I recently setup Wireguard to replace OpenVPN, working perfectly fine.
I'm more or less all the time connected from my laptop into that tunnel.Frequently, the connection drops, and I can see that it's because my local laptop wireguard address 10.x.x.x has been added in snort2c table.
Weird thing is that there's no alerts/blocks in Suricata (I had false positives early on, and added {rule + ip} to suppress list; I also added the 10.x.x.x address into pass list) for that 10.x.x.x address.
I went even beyond, and stopped Suricata on the interface, but eventually my 10.x.x.x address still pops in snort2c table.I'm at a loss at what might be causing that.
My next step would be to uninstall fully Suricata, either to stop using it; or reinstall from scratch, and spend loads of time finetuning everything again (not very attractive).Before that, I wanted to check if anyone might have an idea of what could be the culprit please.
Thanks very much in advance for your kind help, and do let me know if there's any extra information I could provide to help.
-
You most likely have a duplicate "zombie" instance of Suricata running on the interface (meaning two instances running on the same interface). When this happens, one of the running instances will completely ignore any changes made to the configuration.
Do this:
- Go to the Suricata GUI and stop all running Suricata instances (click the Stop icon).
- Open a command-line prompt on the firewall to obtain a shell. That means either directly via the firewall's console or via an SSH session. You CANNOT do this using the GUI option under DIAGNOSTICS!
- Run this command from an active shell prompt:
ps -aux | grep suricata
Look for any running Suricata process. If you see any, note its PID (process ID).
- Kill all running Suricata processes using this command:
kill -9 <pid>
Exit the shell prompt and return to the Suricata GUI and start Suricata on each configured interface.
-
Hello @bmeeks,
This was indeed exactly what happened.
I have rebooted my pfsense server in the past, which I would expect create same results, but either it didn't work, or it spinned another ghost process afterwards.Anyways, I will monitor to see if it keeps happening.
I have seen other posts where other people have similar issue indeed, and will investigate from there if duplication happens again.In any case, thank you very much for your kind help here.