Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: jan.stasik on September 06, 2023, 12:00:32 PM

Title: Suricata crashing
Post by: jan.stasik on September 06, 2023, 12:00:32 PM
Hello,
I am Currently running OPNsense 23.4.2, Business Edition, running it on ESXi. After the upgrade to this version Suricata is crashing after some time when is enabled. Here is what i see in logs. VMX1 is my internet facing port.
How can be this fixed? And how to get rid of warnings.

   
2023-09-06T11:56:59   Error   suricata   [107240] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:vmx1/R failed: Invalid argument   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
Title: Re: Suricata crashing
Post by: Monju0525 on September 23, 2023, 03:21:28 PM
I also get

App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
Title: Re: Suricata crashing
Post by: labsy on September 26, 2023, 12:06:02 AM
Me to....when starting IPS/IDS.
I tried to reinstal, but seems like a lot of config conflicts:

Code Select
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain"; flow:established,to_server; http.host; content:".servequake.com"; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains/; classtype:bad-unknown; sid:2042817; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_t" from file /usr/local/etc/suricata/opnsense.rules/emerging-info.rules at line 8730
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
Title: Re: Suricata crashing
Post by: labsy on September 26, 2023, 03:54:45 PM
I tried reinstalling suricata module, disabling and reenabling it...and now I get a bunch of other errors. Could this be related to ACME LE module? It is only used to get rid of SSL warning when acessing Web GUI.

Code Select
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> [90.164.29.160] 338" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 45468
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qinwilrlju" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 40720
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 7533
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_DIRECTION(189)] - "" is not a valid direction modifier, "->" and "<>" are supported.
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox bot" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 19387
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
Title: Re: Suricata crashing
Post by: JL on January 15, 2024, 06:09:08 PM
original comment removed

this requires modifying the suricata.yaml file to include the correct sections for the mentioned App-Layer protocols which are missing, this is a best practice since the behavior will change in the future and the protocols will no longer be auto-enabled


"This behavior will change in Suricata 7, so please update your config"



if you have not tweaked the suricata.yaml file, consider looking for a suricata.yaml from a more recent versions


check if these sections are present as such in suricata.yaml, consider adding them at the appropriate place


#- dnp3
        - dcerpc
        - ftp
          #- ikev2   
        - krb5
        - nfs
        - rdp
        - rfb
        - sip
        - smb
        - snmp
        - tftp
        - dhcp:
           ......



    # Note: parser depends on Rust support
    ntp:
      enabled: yes


    dhcp:
      enabled: yes


    sip:
      enabled: yes
    http2:
      enabled: yes
    snmp:
      enabled: yes
    rfb:
      enabled: yes
    mqtt:
      enabled: yes
    rdp:
      enabled: yes
Text only | Text with Images