Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata issues

    Scheduled Pinned Locked Moved
    IDS/IPS
    1
    3
    4.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcentirefj
      last edited by

      Hi all, hopefully someone can help me with this.

      Since the 2.1.5 update for suricata I can't initialize 2 of my IDS interfaces. I'm seeing this in the suricata logs for both interfaces

      28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
      28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
      28/5/2015 – 14:37:44 - <info>-- RunModeIdsPcapAutoFp initialised
      28/5/2015 -- 14:37:44 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
      28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…</error></error></info></error></error>

      I tried increasing the stream mem cap as suggested in here https://forum.pfsense.org/index.php?topic=93926.0 but the problem persists.

      On a third interface, I'm having a separate and even more confounding issue. When I try to initialize the interface, it hangs here:

      28/5/2015 – 14:36:58 - <info>-- 21898 signatures processed. 985 are IP-only rules, 7457 are inspecting packet payload, 16431 inspect application layer, 71 are decoder event only
      28/5/2015 -- 14:36:58 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
      28/5/2015 -- 14:37:01 - <info>-- building signature grouping structure, stage 2: building source address list... complete</info></info></info>

      It doesn't get past that. It hangs and slowly takes all my free memory (16gb of RAM and 32gb of SWAP) until it exhausts all memory and stops.

      Anyone have any ideas? I'm stumped.

      1 Reply Last reply Reply Quote 0
      • M
        mcentirefj
        last edited by

        Figured out my first issue.

        I underestimated how many threads I had, so I didn't have my stream memory cap increased enough.

        This formula works for figuring out how much memory cap you need

        Also, how can I calculate the highest value that I can use?

        TcpSession structure is 192 bytes, PoolBucket 24. So it should be:

        (192 + 24) * prealloc_sessions * number of threads = memory use in bytes

        For me, I had 25 threads which worked out to 168.75 MB cap I needed.

        The second issue is still plaguing me though. Whenever I try to initialize suricata on that particular interface, it just hangs on what appears to be  building signature grouping structure, stage 3 and saps all my RAM/SWAP.

        1 Reply Last reply Reply Quote 1
        • M
          mcentirefj
          last edited by

          Figured out my second issue.

          Signature Group Header MPM Context was set to Full for just the 1 interface, which is why it was the only one having the problem. Changed it to Auto and now all is well.

          1 Reply Last reply Reply Quote 0
          • F fox95 referenced this topic on
          • F fox95 referenced this topic on
          • bmeeksB bmeeks referenced this topic on
          • First post
            Last post