OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: interfaSys on March 18, 2017, 03:40:26 pm

Title: 17.1.2 new re driver + suricata + IPS = kernel panic
Post by: interfaSys on March 18, 2017, 03:40:26 pm

Do not turn on IPS mode in Suricata when using the new re driver because emulated netmap crashes the OS.

See: https://redmine.openinfosecfoundation.org/issues/1688

What we need is a patched Realtek driver with netmap support.
I didn't manage to patch it last year, but I'm not a driver engineer.

The alternative would be to let people pick the driver they want to use.

Title: Re: 17.1.2 new re driver + suricata = kernel panic
Post by: franco on March 18, 2017, 04:29:24 pm

Please provide:

* The kernel panic on 17.1.2 or later.
* The hardware specs of your device.

The ticket linked mentions OPNsense 16.1, that was FreeBSD 10.2.

I don't exactly know where this comes from, because an APU1D runs fine for me...


Cheers,
Franco

Title: Re: 17.1.2 new re driver + suricata = kernel panic
Post by: franco on March 18, 2017, 05:48:40 pm

This is a bit difficult to track, the actual conversation and details are here: https://github.com/opnsense/core/issues/1481

For now, we would like to ask others with a Zotac ci323 to let us know if they use the Intrusion Detection IPS mode successfully or not.

We are suspecting a netmap issue and will try a newer netmap version to see if that helps.


Thanks,
Franco

Title: Re: 17.1.2 new re driver + suricata = kernel panic
Post by: csmall on March 18, 2017, 07:02:05 pm

I'm using the new driver on a Zotac Ri531 and it doesn't crash the OS with suricata on.

I have trouble with ET rules but not a kernel panic.

Title: Re: 17.1.2 new re driver + suricata + IPS = kernel panic
Post by: rgo on March 22, 2017, 07:45:53 pm

I am using J1900 with Intel Ethernet drivers and when you turn on IPS in Suricata, then IPv6 goes away!  IPv6 stops working but IPv4 stays working.  As soon as you turn off IPS in Suricata then IPv6 starts working again.  IPv4 works with IPS on or off.  If Suricata is enabled but with IPS off then both IPv4 and IPv6 work.  This holds true for 17.1.2 and also in 17.1.3!

Title: Re: 17.1.2 new re driver + suricata + IPS = kernel panic
Post by: btd on March 29, 2017, 08:00:39 pm

Hi.
I'am using Zotac ci323. I have 250/20 Mbps connection.
opnsense 17.1.3
When I turn on intrusion detection everything works fine. When I turn IPS mode on, download speeds slows down from 10 MB/s to ~1,2MB/s.

What should I post more?
shot from monitor connected to zotac
https://goo.gl/photos/JHRnLuhu5LfR8MLb8 (https://goo.gl/photos/JHRnLuhu5LfR8MLb8)

Title: Re: 17.1.2 new re driver + suricata + IPS = kernel panic
Post by: franco on March 29, 2017, 08:02:18 pm

Have you turned off hardware checksum features?

Title: Re: 17.1.2 new re driver + suricata + IPS = kernel panic
Post by: btd on March 29, 2017, 08:11:23 pm

Yes, all turned off and zotac restarted.
(http://i.imgur.com/rVwtlAt.png)

I forgot to mention: after some time, with ips turned on, connection to internet dies.