Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: 3x3cut0r on October 21, 2022, 09:55:45 AM

Title: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: 3x3cut0r on October 21, 2022, 09:55:45 AM
Hi
I am running the newest versions (see profile) of OPNsense and IPS plugins.
I am new to OPNsense but was able to run all i want so far, but the IPS wont work.
I use a PPPoE connection to a Vigor 165 for my Internet connection (VDSL 35b 250/40) and want to turn on suricata to listen on the WAN interface.
I followed the instructions on https://docs.opnsense.org/manual/ips.html
but i got the following error after enabling or restarting the IPS:
Code Select
...
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
2022-10-21T09:50:01 Warning suricata [100279] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:41 Warning suricata [100277] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2022-10-21T09:49:39 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
2022-10-21T09:49:38 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
2022-10-21T09:49:38 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
2022-10-21T09:49:37 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
2022-10-21T09:49:37 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
2022-10-21T09:49:36 Error suricata [105128] <Error> -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 The interface disappeared
...

the error spams my IPS log 2 times a second and the memory usage drastically increases over night from 1,6gb up to 4gb (from 6gb)

can someone help me what do i wrong?
Title: Re: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: cookiemonster on October 21, 2022, 02:22:40 PM
You can ignore the warnings.
The error could be an interaction between opn and the network card driver, or the virtualisation software. Four elements in play here: network card (physical behaviour), Network drivers , hypervisor and suricata.
You're going to have to narrow that down.
For instance see if changing between passthrough or virtualised nic makes a difference, etc.
Title: Re: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: franco on October 21, 2022, 05:37:24 PM
What is "The interface" in terms of configured interface? WAN interface with PPPoE configuration?


Cheers,
Franco
Title: Re: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: 3x3cut0r on October 21, 2022, 07:54:27 PM
Quote from: franco on October 21, 2022, 05:37:24 PMWhat is "The interface" in terms of configured interface? WAN interface with PPPoE configuration?
Yes, WAN interface with PPPoE configuration!

Quote from: cookiemonster on October 21, 2022, 02:22:40 PM
You can ignore the warnings.
The error could be an interaction between opn and the network card driver, or the virtualisation software. Four elements in play here: network card (physical behaviour), Network drivers , hypervisor and suricata.
You're going to have to narrow that down.
For instance see if changing between passthrough or virtualised nic makes a difference, etc.
OK thanks, but i will not touch any of these. especially my ethernet connection which is passed from proxmox through the opnsense vm.
Title: Re: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: franco on October 24, 2022, 11:26:21 AM
Ok, well, if ISP disconnects I think that the PPPoE device disappears but Suricata keeps running producing this error. The question is if the IDS keeps running and works after the device is back or if it needs to be restarted?

Do you still get alerts after the error occurs?


Cheers,
Franco
Title: Re: IPS / Suricata ERRCODE: SC_ERR_PCAP_DISPATCH - The interface disappeared
Post by: 3x3cut0r on October 24, 2022, 04:35:07 PM
i think this has nothing to do with the ISP reconnect because the error occur direct after the service restart.
and the error spams my logfile massively.
there is not a single alert at all.
it seems to me that i have a configuration issue or a hardware defect.
but the pppoe connection runs like a charm.
the service keeps running and that is the only error in the logfile after the warnings after the (re)start.
Text only | Text with Images