OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Aergan on February 13, 2017, 10:15:41 am
-
Hi, I had this problem with the last few versions of 16.7 but it's still present in 17.1.1 in that suricata keeps exiting after 15~500 seconds.
Feb 13 09:10:00 kernel: pid 21502 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:09:18 configd.py: [dc6e5d2e-e377-4dbc-b00f-751ecaa3024c] get suricata daemon status
Feb 13 09:09:16 configd.py: [4ce7e5ed-731a-4bff-a945-98bcbab50da9] start suricata daemon
Feb 13 09:09:16 configd.py: [f3452e49-e5ec-44d8-93da-8dcc8c219cc5] install suricata rules
Feb 13 09:09:15 configd.py: [91bd5288-a8f7-4bb1-8733-25e0b207f888] get suricata daemon status
Feb 13 09:09:02 configd.py: [f4e9e1b0-5bc5-4257-ada1-c7c65a144be0] get suricata daemon status
Feb 13 09:08:34 kernel: pid 48719 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:07:33 configd.py: [c25d9c01-5880-426c-8a35-da259d2303b6] get suricata daemon status
All hardware acceleration options are turned off
OPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017
-
What network cards do you have? Suricata only started working reliably for me after I switched to Intel NICs.
Bart...
-
It's a Generation 1 VM running under Hyper-V 2012 R2
-
Have you found a solution to your problem? I got the same thing on VMware ESXi 6.0 with Intel e1000 interfaces.
-
Hi morpheus,
Have a look at the relevant twitter conversation with details and workarounds:
https://twitter.com/opnsense/status/833638286753153024
17.1.2 may fix this permanently now that Hyperscan and Suricata have added runtime detection.
Symptoms: old host CPU that does not support SSSE3 instructions + amd64.
Cheers,
Franco
-
Hi franco,
I confirm that installing suricata-no-hs-3.2 seems to prevent that issue.
Thank you!
-
Purrfect!
-
All working still after the upgrade to 17.1.2 as well :)
-
I confirm! :-)
-
Trivia: turnaround time for this bug is approx. 8 months including fixes in two upstream projects. :)
Thank you both for the feedback.
-
Hi there,
I submitted a bug report upon the first Kernel crash after attempting to enable Suricata which was running version 17.1.1. I have since upgraded to 17.1.2 and the crash no longer occurs, however the service still fails to start. Here is what the logs show me:
Feb 23 18:13:09 configd.py: [dae4acf2-35ab-4802-b84c-f3f7dd1e5143] start suricata daemon
Feb 23 18:13:09 root: /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
configd.py: [419a761d-f4c8-4e1a-8051-003c3c8005ec] returned exit status 1
OPNSense is running in an ESXI 6 VM (32Bit) FreeBSD Guest environment and the processor is a Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz with my WAN network card being an Intel E1000. I have tried starting the service with either: Hyperscan or Aho-Corasick with no luck. I'm attempting to use the Intrusion Detection with only a single custom rule: Only Allow Traffic from North America. Thanks for your time.
Regards,
-
Hi,
Have you tried deleting your custom rule and activating the OPNSense-test-rule instead? Just to see if it is related to your custom rule?
Regards
-
Thanks, I just tried that, I didn't even know there was a test rule. However, it still produces the same result with only the test rule enabled the service remains disabled.
-
Can you post the contents of suricata log?
# cat /var/log/suricata.log
Cheers,
Franco
-
Please see the attached screenshot from the command you provided. Thanks!
-
Odd. What's the output of:
# uname -a
Cheers,
Franco
-
It Reads:
FreeBSD OPNSense.localdomain 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #0 ca29eed2d(Stable/17.1): Mon Feb 20 15:24:20 CET 2017 root@sensey32:/usr/obj/usr/src/sys/SMP i386
-
Ok, so far so good.
Can you post output of the following command before an after reinstalling the kernel?
# ls -lah /dev/netmap
The kernel reinstalls with:
# opnsense-update -fk
# /usr/local/etc/rc.reboot
And then try again. So far it looks like Suricata can't start because you set IPS mode but the kernel module for IPS is gone which is rather odd.
Also, what network cards / drivers are you using?
Cheers,
Franco
-
I am unable to proceed as the device is in use at the moment. I will try and perform these steps at the end of day. Thank you for your time. The network drivers would be the Intel E1000.
When I run before the reboot: "ls -lah /dev/netmap" it returns "ls: /dev/netmap: No such file or directory"
I was able to get Suricata to start by disabling IPS.
-
Ok, netmap was missing from i386 since 17.1, which affected IPS mode only. FreeBSD added netmap to their 11.0 config, but only for amd64, not i386. Sorry about this.
The kernel is fixed and syncing to the mirrors. Just reapply 17.1.2:
# opnsense-update -fk
# /usr/local/etc/rc.reboot
And it should be all good when the /dev/netmap device is back.
Cheers,
Franco
-
Yep, that fixed it after reapplying 17.1.2. Thanks very much!
-
Ok, change will become permanent in 17.1.3.
Cheers,
Franco