We are using the proofpoint rules and all OPNsense versions from 25.1 to 24.x are affected. Error message is:
<Error> -- Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this
It looks like a broken rule update is responsible for this, since ample memory and disk space is available on our boxes.
One more observation: Only boxes with one of the three Aho-Corasick Pattern matchers are affected, even with today's updated rules. Boxes with Hyperscan matcher were not affected. After changing the matcher to Hyperscan, the problem was solved on all of our previously affected firewalls.
I hope this helps identifying and fixing the cause.
Ours started erroring out on the 20th, same symptoms, and same temporary resolution - Hyperscan.
Same here
Mine is set to "default" and still working. This reminds that I need to sit and do some work on my filters and same for Crowdsec.
Mine is set to default and it's still crashing. Any updates on a fix?
Same here...
Same message here, latest version installed
Had the same issue, here is what fixed it for me:
- updated the vCPU scheme of the VM from "kvm64" to "Haswell-noTSX".
- VM power off/power on.
- shifted the IPS engine from "Aho–Corasick Ken Steele variant" to "Hyperscan" (only possible post point #1 here).
According to the docs, Hpyerscan seems to be the best options whenever supported, I'll leave it at that here.
https://docs.opnsense.org/manual/ips.html
Kind regards,
m.
Same here and its still broke
I changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now
I promise this question is honest. I don't want to make enemies... please do not be too agressive with the answer..
I have moved from pfSense to OPNSense 2 months ago and now I'm facing this issue.
I activated proofpoint, it was great.
Now, suricata stops work and there is no solution several weeks later.
My question is ... Could this be a prove that OPNSense is more modern, with more functionalities but it's not being maintained as fast pfSense?
Hi, this solution works for me! Thanks.
Quote from: someone on May 06, 2025, 11:42:56 PMI changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now
I also wanted to report the same issue and the fact that this solution worked for me.
Quote from: geotek on April 20, 2025, 11:25:21 AMOne more observation: Only boxes with one of the three Aho-Corasick Pattern matchers are affected, even with today's updated rules. Boxes with Hyperscan matcher were not affected. After changing the matcher to Hyperscan, the problem was solved on all of our previously affected firewalls.
I hope this helps identifying and fixing the cause.
Hello
Started today with IDS on OPNSense 25.1.7_4 and selected "Hyperscan" as pattern matcher. Unfortunately, I got with "Hyperscan" the error "IDS log reports "hs" is an invalid mpm algo" and it became apparent that "Hyperscan" requires SSSE3 and actually running OPNSense on Proxmox with qemu64 on (old) Xeon Westmere EP hardware, it is not possible to switch the cpu type to any else that qemu64 to start the OPNsense VM. Switching to "Aho-Corasick, Ken Steele" resulted then in the above error suricata "Error - Just ran out of space in the queue. Fatal Error."
Mokaz's solution worked.
As a preface, I must say I could never activate IPS with hyperscan matcher on this VM.
That VM presented some other limitations compared to its twin, almost identical, except for the CPU type.
After reading Mokaz's solution I did not go for same CPU as him but simply abandoned the KVM64, for the «Broadwell, IBRS», the one used on the almost twin VM and it solved the problem.
(
and I'll keep an eye on any difference that may appear or persist between the twin VMs)
Thank You!!!
Clearly, KVM64 CPU emulation misses flags required by hyperscan to perform.
An embryo of CPU compatibility list includes:
- Broadwell, IBRS
- Haswell-noTSX
Quote from: mokaz on May 05, 2025, 08:28:29 AMHad the same issue, here is what fixed it for me:
- updated the vCPU scheme of the VM from "kvm64" to "Haswell-noTSX".
- VM power off/power on.
- shifted the IPS engine from "Aho–Corasick Ken Steele variant" to "Hyperscan" (only possible post point #1 here).
According to the docs, Hpyerscan seems to be the best options whenever supported, I'll leave it at that here.
https://docs.opnsense.org/manual/ips.html
... and a wiser way to describe compatibility would be to enumerate required CPU flags, instead of listing all variants of CPU released on the market.