Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata, that randomly stops on interfaces

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marian78
      last edited by

      Hi,
      i dont know where to post my problem (im sorry for that).

      i have pfsense 2.1.5 (i386) - (HP N54L - AMD Turion 1 cpu/2 threads , 4G RAM, SSD 25G) with Suricata 2.0.3 pkg v2.0.2, squid3-dev 3.3.10 pkg 2.2.6 as transparent proxy (with SSL).

      Have wan interface and use VPN service (OpenVPN client) to connect to internet. Suricata have setup for wan and vpn service interface.

      I have problem with suricata, that is randomly stops on interfaces. When i manualy run it, then stops for 1-2 hours. I dont know whats wrong. How can i check that it stop on some interface, that i can write some scripts that it restart it on that interface? Or have something wrong configured?
      Snímka.JPG
      Snímka.JPG_thumb
      packages.JPG
      packages.JPG_thumb

      pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @marian78:

        Hi,
        i dont know where to post my problem (im sorry for that).

        i have pfsense 2.1.5 (i386) - (HP N54L - AMD Turion 1 cpu/2 threads , 4G RAM, SSD 25G) with Suricata 2.0.3 pkg v2.0.2, squid3-dev 3.3.10 pkg 2.2.6 as transparent proxy (with SSL).

        Have wan interface and use VPN service (OpenVPN client) to connect to internet. Suricata have setup for wan and vpn service interface.

        I have problem with suricata, that is randomly stops on interfaces. When i manualy run it, then stops for 1-2 hours. I dont know whats wrong. How can i check that it stop on some interface, that i can write some scripts that it restart it on that interface? Or have something wrong configured?

        I am working on an update for Suricata, and last night discovered a bug that might be coming into play here.  Specifically the bug I found last night pops up during a reinstall, but it might have impact after a rule update as well.

        If you are willing to help me test out a possible fix, do the following steps and report back on the results –

        1. Go to DIAGNOSTICS…EDIT FILE on the pfSense menu.

        2. Navigate to this file and open it in the editor:  /usr/local/pkg/suricata/suricata_generate_yaml.php

        3. Scroll down to near the bottom of that file and find this section of code:

        
        // Add the OS-specific host policies if configured, otherwise
        // just set default to BSD for all networks.
        if (!is_array($suricatacfg['host_os_policy']['item']))
        	$suricatacfg['host_os_policy']['item'] = array();
        if (empty($suricatacfg['host_os_policy']['item']))
        	$host_os_policy = "bsd: [0.0.0.0/0]";
        else {
        	foreach ($suricatacfg['host_os_policy']['item'] as $k => $v) {
        
        

        Change it to look like this.  The added line is $host_os_policy = ''";

        
        // Add the OS-specific host policies if configured, otherwise
        // just set default to BSD for all networks.
        $host_os_policy = "";
        if (!is_array($suricatacfg['host_os_policy']['item']))
        	$suricatacfg['host_os_policy']['item'] = array();
        if (empty($suricatacfg['host_os_policy']['item']))
        	$host_os_policy = "bsd: [0.0.0.0/0]";
        else {
        	foreach ($suricatacfg['host_os_policy']['item'] as $k => $v) {
        
        

        4. Save the change.

        Bill

        1 Reply Last reply Reply Quote 0
        • M
          marian78
          last edited by

          Thx for your time. Now i am at work, after that a will tray what you wrote.

          edit: ok, i edit all, now waiting, what will happend…

          edit2:

          ok, meantime, i look in my logs for interface and find this:

          for client VPN service interface:

          14/10/2014 -- 16:54:49 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

          or this

          for wan interface (ethernet 250/100 Mbps)
          14/10/2014 – 16:38:03 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -></error></error>

          pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            Is it me, or did we collectively manage to break suricata in a few months in more ways than everybody ever using it previously combined?  ;D

            A good thing, IMHO. Shows that not everything can be identified, unless the software is put into wide use :)

            I'll crawl back to my corner.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @marian78:

              Thx for your time. Now i am at work, after that a will tray what you wrote.

              edit: ok, i edit all, now waiting, what will happend…

              edit2:

              ok, meantime, i look in my logs for interface and find this:

              for client VPN service interface:

              14/10/2014 -- 16:54:49 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

              or this

              for wan interface (ethernet 250/100 Mbps)
              14/10/2014 – 16:38:03 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -></error></error>

              The first error is caused by no support within the Suricata binary for the DLT_NULL datalink type.  I'm no expert, but this is apparently a frequently used datalink type on FreeBSD for various interfaces (PPPoE is another one that comes to mind).  Support for DLT_NULL needs to be implemented upstream by the Suricata developers.  I have considered trying my luck at creating a patch and submitting it upstream, but I have not done so yet.

              You second error's text is incomplete, but there are some rule options and keywords that Suricata does not implement that other IDS tools like Snort accept.  At least for Suricata, when it encounters a syntax error in a rule, it skips that rule and moves on.  Snort will quit and die on any rule syntax error.

              Bill

              1 Reply Last reply Reply Quote 0
              • M
                marian78
                last edited by

                Thx dear sir for your time, now i know that i can only wait for solution, because is over my knowledge.  :(

                pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.