Suricata, that randomly stops on interfaces



  • Hi,
    i dont know where to post my problem (im sorry for that).

    i have pfsense 2.1.5 (i386) - (HP N54L - AMD Turion 1 cpu/2 threads , 4G RAM, SSD 25G) with Suricata 2.0.3 pkg v2.0.2, squid3-dev 3.3.10 pkg 2.2.6 as transparent proxy (with SSL).

    Have wan interface and use VPN service (OpenVPN client) to connect to internet. Suricata have setup for wan and vpn service interface.

    I have problem with suricata, that is randomly stops on interfaces. When i manualy run it, then stops for 1-2 hours. I dont know whats wrong. How can i check that it stop on some interface, that i can write some scripts that it restart it on that interface? Or have something wrong configured?





  • @marian78:

    Hi,
    i dont know where to post my problem (im sorry for that).

    i have pfsense 2.1.5 (i386) - (HP N54L - AMD Turion 1 cpu/2 threads , 4G RAM, SSD 25G) with Suricata 2.0.3 pkg v2.0.2, squid3-dev 3.3.10 pkg 2.2.6 as transparent proxy (with SSL).

    Have wan interface and use VPN service (OpenVPN client) to connect to internet. Suricata have setup for wan and vpn service interface.

    I have problem with suricata, that is randomly stops on interfaces. When i manualy run it, then stops for 1-2 hours. I dont know whats wrong. How can i check that it stop on some interface, that i can write some scripts that it restart it on that interface? Or have something wrong configured?

    I am working on an update for Suricata, and last night discovered a bug that might be coming into play here.  Specifically the bug I found last night pops up during a reinstall, but it might have impact after a rule update as well.

    If you are willing to help me test out a possible fix, do the following steps and report back on the results –

    1. Go to DIAGNOSTICS…EDIT FILE on the pfSense menu.

    2. Navigate to this file and open it in the editor:  /usr/local/pkg/suricata/suricata_generate_yaml.php

    3. Scroll down to near the bottom of that file and find this section of code:

    
    // Add the OS-specific host policies if configured, otherwise
    // just set default to BSD for all networks.
    if (!is_array($suricatacfg['host_os_policy']['item']))
    	$suricatacfg['host_os_policy']['item'] = array();
    if (empty($suricatacfg['host_os_policy']['item']))
    	$host_os_policy = "bsd: [0.0.0.0/0]";
    else {
    	foreach ($suricatacfg['host_os_policy']['item'] as $k => $v) {
    
    

    Change it to look like this.  The added line is $host_os_policy = ''";

    
    // Add the OS-specific host policies if configured, otherwise
    // just set default to BSD for all networks.
    $host_os_policy = "";
    if (!is_array($suricatacfg['host_os_policy']['item']))
    	$suricatacfg['host_os_policy']['item'] = array();
    if (empty($suricatacfg['host_os_policy']['item']))
    	$host_os_policy = "bsd: [0.0.0.0/0]";
    else {
    	foreach ($suricatacfg['host_os_policy']['item'] as $k => $v) {
    
    

    4. Save the change.

    Bill



  • Thx for your time. Now i am at work, after that a will tray what you wrote.

    edit: ok, i edit all, now waiting, what will happend…

    edit2:

    ok, meantime, i look in my logs for interface and find this:

    for client VPN service interface:

    14/10/2014 -- 16:54:49 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

    or this

    for wan interface (ethernet 250/100 Mbps)
    14/10/2014 – 16:38:03 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -></error></error>



  • Is it me, or did we collectively manage to break suricata in a few months in more ways than everybody ever using it previously combined?  ;D

    A good thing, IMHO. Shows that not everything can be identified, unless the software is put into wide use :)

    I'll crawl back to my corner.



  • @marian78:

    Thx for your time. Now i am at work, after that a will tray what you wrote.

    edit: ok, i edit all, now waiting, what will happend…

    edit2:

    ok, meantime, i look in my logs for interface and find this:

    for client VPN service interface:

    14/10/2014 -- 16:54:49 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

    or this

    for wan interface (ethernet 250/100 Mbps)
    14/10/2014 – 16:38:03 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -></error></error>

    The first error is caused by no support within the Suricata binary for the DLT_NULL datalink type.  I'm no expert, but this is apparently a frequently used datalink type on FreeBSD for various interfaces (PPPoE is another one that comes to mind).  Support for DLT_NULL needs to be implemented upstream by the Suricata developers.  I have considered trying my luck at creating a patch and submitting it upstream, but I have not done so yet.

    You second error's text is incomplete, but there are some rule options and keywords that Suricata does not implement that other IDS tools like Snort accept.  At least for Suricata, when it encounters a syntax error in a rule, it skips that rule and moves on.  Snort will quit and die on any rule syntax error.

    Bill



  • Thx dear sir for your time, now i know that i can only wait for solution, because is over my knowledge.  :(


Log in to reply