Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local hosts added in snort2c table, despite Suricata being turned off

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 477 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tarkil
      last edited by

      Hello all,

      I'm not really sure where to check anymore, so I'm hoping you guys can give me a hand here.

      I recently setup Wireguard to replace OpenVPN, working perfectly fine.
      I'm more or less all the time connected from my laptop into that tunnel.

      Frequently, the connection drops, and I can see that it's because my local laptop wireguard address 10.x.x.x has been added in snort2c table.

      Weird thing is that there's no alerts/blocks in Suricata (I had false positives early on, and added {rule + ip} to suppress list; I also added the 10.x.x.x address into pass list) for that 10.x.x.x address.
      I went even beyond, and stopped Suricata on the interface, but eventually my 10.x.x.x address still pops in snort2c table.

      I'm at a loss at what might be causing that.
      My next step would be to uninstall fully Suricata, either to stop using it; or reinstall from scratch, and spend loads of time finetuning everything again (not very attractive).

      Before that, I wanted to check if anyone might have an idea of what could be the culprit please.

      Thanks very much in advance for your kind help, and do let me know if there's any extra information I could provide to help.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You most likely have a duplicate "zombie" instance of Suricata running on the interface (meaning two instances running on the same interface). When this happens, one of the running instances will completely ignore any changes made to the configuration.

        Do this:

        1. Go to the Suricata GUI and stop all running Suricata instances (click the Stop icon).
        2. Open a command-line prompt on the firewall to obtain a shell. That means either directly via the firewall's console or via an SSH session. You CANNOT do this using the GUI option under DIAGNOSTICS!
        3. Run this command from an active shell prompt:
        ps -aux | grep suricata

        Look for any running Suricata process. If you see any, note its PID (process ID).

        1. Kill all running Suricata processes using this command:
        kill -9 <pid>

        Exit the shell prompt and return to the Suricata GUI and start Suricata on each configured interface.

        T 1 Reply Last reply Reply Quote 0
        • T
          tarkil @bmeeks
          last edited by

          Hello @bmeeks,

          This was indeed exactly what happened.
          I have rebooted my pfsense server in the past, which I would expect create same results, but either it didn't work, or it spinned another ghost process afterwards.

          Anyways, I will monitor to see if it keeps happening.
          I have seen other posts where other people have similar issue indeed, and will investigate from there if duplication happens again.

          In any case, thank you very much for your kind help here.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.