OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Anon87 on July 31, 2017, 02:55:03 pm

Title: Suricata error, DNS crashes
Post by: Anon87 on July 31, 2017, 02:55:03 pm
Hi!

First of all, thank you very much for your awesome work! It's been a wonderful ride so far.

I upgraded this morning to OPNsense 17.7, but ran across an issue. As soon as Suricata is enabled, the DNS seems to fail after a few minutes. Traffic is still possible, however, DNS queries fail. As soon as I disable Suricata, DNS queries succeed again. There are no rules set to block which might have an effect on this, the Suricata logs mentions doesn't report any block action whatsoever.

I tried it with the default supplied version, Suricata 3.2.3, upgraded to 4.0.0, but the problem remains. However, suricata.log (/var/log/suricata.log) does mention this everytime it's started:

Code: [Select]
[ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "em0": Invalid argument
Title: Re: Suricata error, DNS crashes
Post by: franco on July 31, 2017, 03:57:49 pm
Hi Anon,

I don't know where this would come from: Suricata and the FreeBSD version is the same. The only difference is that everything got reinstalled, which shouldn't cause this.

It could be that either the Suricata rules used changed during the fetch or that the new firewall rules generation is the problem, the first one being the more likely candidate.

Capability settings shouldn't fail, but it also shouldn't cause such a problem (only DNS).

Do you have gateway rules in the firewall, particularly about DNS?


Cheers,
Franco
Title: Re: Suricata error, DNS crashes
Post by: Anon87 on July 31, 2017, 07:07:25 pm
Hello Franco,

Thank you for your swift reply. If the Suricata rules did change and it led to some blocking, it should be listed on the alerts page, correct?

With the troubleshooting I did, one of the first things I thought about was the firewall ruleset. But it's pretty much the default, with all outgoing traffic allowed (IPv4) and the only incoming traffic is to the built in OpenVPN server, with I only enable if I leave home for more than one hour.

A few hours ago, I decided to completely reinstall the box, because theoretically, it could be a bug triggered by the configuration file, which I did import from 17.1.11. I began configuring it again, by hand. Walked through the setup wizard, selected the LibreSSL flavor, upgraded, configured the settings, enabled Suricata - worked all fine. Until I rebooted the machine, exact same problem as before.

I reinstalled it again, but now, I rebooted everytime I changed a single option. Countless reboots later, I think I've found the cause: with IPS mode enabled in Suricata, it causes the DNS queries/resolves to fail. After I disabled IPS mode, rebooted, Suricata ran fine, causing no problems.

Perhaps you can shine a light on this, as I am unfamiliar with the inner workings of Suricata. Is the IPS mode required to drop traffic, even if I set the default behaviour to drop in a specific rule or ruleset?

Last but not least, you mentioned that OPNsense 17.1 and 17.7 are based on the same FreeBSD version and run the same Suricata version. Could it be due to one of the mitigations/hardening techniques in HardenedBSD? As I read the releasenotes, there are some 'intense' changes made....

Thanks,
Anon87

Note to self: I should really, really get a KVM over IP solution for the headless systems at home
Title: Re: Suricata error, DNS crashes
Post by: franco on July 31, 2017, 08:01:59 pm
Hi Anon87,

Well, if you talk about 17.1 and 17.7 the software versions differ greatly as both releases are 6 months apart. But every subsequent 17.1.x gets features from the 17.7 development branch over time. Due to this 17.1.11 and 17.7 are almost the same, except for a larger rework of the rule generation framework of the packet filter itself.

So if 17.1.11 was working fine for you, but 17.7 is giving you trouble now it means we can narrow the problem down to a handful of changes, none of which directly affect Suricata.

You should see alerts for drops, that's right. Also, is this a problem of IPv4 vs. IPv6 DNS resolution? I've seen Suricata drop IPv6 traffic but leave IPv4 alone?

Sorry this is a bit vague, it's not because we don't want to solve this, but because there is little indication of what could be wrong with the system. Need to pin this down more. :)


Cheers,
Franco
Title: Re: Suricata error, DNS crashes
Post by: Anon87 on July 31, 2017, 10:59:39 pm
Hi Franco,

Sure, I'll be glad to help out. I'll try to get into detail as much as possible, most will be completely worthless, but hope something can point you in the right direction.

I am able to reproduce this behaviour through the following steps:


My provider doesn't support IPv6 as of now, so that shouldn't be a problem. The only thing I haven't tried - yet - is to try another DNS provider. I am willing to downgrade to 17.1, to make 100% sure that this is 17.7 only behaviour. However, I might need a day or two to get that done, as I am away from home right now.

Cheers
J.
Title: Re: Suricata error, DNS crashes
Post by: Vincent on August 02, 2017, 03:04:38 pm
Hello Anon87 and Franco,

I experienced similar issue with my upgrade path from 17.1.11 to 17.7
My config had suricata enabled (in IDS mode) and DNS activated.
All working fine in 17.1.11

After upgrading to 17.7 i got what seems a similar issue to what Anon87 described: unbound DNS was not resolving any more DNS.
Only exceptions were my local domain hosts entries resolved properly.

Stopping/disabling suricata didn't change to the issue.
But i found in "System > Settings > General" an option that seemed new to me:
Code: [Select]
"Allow DNS server list to be overridden by DHCP/PPP on WAN"It was checked by default, and unticking it made my DNS magically resolving back external named (and resisting to reboot issue mention by Anon87).

Could it be a reason for you too that the change you makes don't resist for a reboot Anon87?

I hope that experience sharing will help.

Cheers,
Vincent
Title: Re: Suricata error, DNS crashes
Post by: franco on August 02, 2017, 03:09:21 pm
Just quickly, there is a German user seeing the same issue: https://forum.opnsense.org/index.php?topic=5603.0

With the multiple reports and a bit of testing we should be able to pin this down further, but it really seems to be either Suricata IPS mode or an associated DNS ruleset.

We would try Suricata 3.2.2 to be sure it's either the binary or a newer ruleset...
Title: Re: Suricata error, DNS crashes
Post by: Anon87 on August 02, 2017, 03:15:38 pm
Could it be a reason for you too that the change you makes don't resist for a reboot Anon87?

Dear Vincent,

Thank you kindly for your reply, really appreciate it. Theoretically speaking, it shouldn't make a difference, as my WAN is static, there is no DHCP server running upstream. However, I'll be glad to put this to the test nevertheless.

Unfortunately, I can't try this right now, as there is a transfer going on which cannot be interrupted. By estimation, the transfer should be done late tomorrow or early friday, then I am free to reboot as often as I wish ;-)

Also, I assume that you mean IPS mode? The difference is that IDS is detection, IPS is blocking :)

Cheers,
J.

EDIT: Vincent, since you've managed to get it working, if you look through the /var/log/suricata.log, is there something like this reported:

Code: [Select]
[ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "em0": Invalid argument
We would try Suricata 3.2.2 to be sure it's either the binary or a newer ruleset...

Thanks Franco!

The same behaviour happens on v3.2.3 (the default) and v4.0.0, so from my viewpoint, the ruleset causing this issue is more logical than the binary. Does it help if I supply a list of the enabled rules?

I've used Google Translate to help me out with the German, but it doesn't really make any sense - it gets translated rather bad. I am able to follow and interpret spoken German, but reading it is something completely different, gheh.
Title: Re: Suricata error, DNS crashes
Post by: franco on August 02, 2017, 04:17:05 pm
Hi J,

Well, 3.2.3 may not be it, but 3.2.2 could be it, it's rather strange. We should exclude as much as possible.

This is the old amd64 package:

# pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.2.2.txz

Listing the rulesets used will certainly help. If it's a ruleset it should also be easy to find the one responsible by deactivating one by one?


Cheers,
Franco
Title: Re: Suricata error, DNS crashes
Post by: ford on August 02, 2017, 09:39:48 pm
Hi Guys,

iam this user from the german thread.
Does google translator struggels on bavarien? ;-)

OK, as Franco said, downgrad suricata to 3.2.2.
Probably a solution for a moment, cause my FW-log tells me the same as before, but DNS works _with_ IDS!

Small question:
I do not redirect on WAN.
Which interface redirects (in NAT) your traffic to proxy?
I am using the plugin below.
Do you use plugin "os-intrusion-detection-content-pt-open"?

greets
Rainer

Title: Re: Suricata error, DNS crashes
Post by: Vincent on August 04, 2017, 04:33:18 pm
Hello J,

I've checked in /var/log/suricata.log, including history of past days, no track of that set caps error message.

Suricata is bound on igb1 for me, maybe the driver has an impact on the caps.

Cheers,
Vincent
Title: Re: Suricata error, DNS crashes
Post by: ford on August 07, 2017, 08:24:11 pm
Hi,

after downgrade to 3.2.2 and up and down....
i spend a lot of time to read log files and traces.
Traces as well from my WAN, which is connected to my FritzBox.
There I found some strange pings and DNS requests... propably v6 once.

My idea was to set
Services
>Unbound DNS
>>General
[X] Register IPv6 link-local addresses in the DNS Resolver DHCP IPv6 Link-local
et Voilá, for me it works.

But meanwhile there are several lib updates via GUI update
and "Surprisecata" works as well w/o v6 local-link DNS regs in v3.2.3 ;-)

Same for you?

cheers
Rainer
Title: Re: Suricata error, DNS crashes
Post by: franco on August 08, 2017, 08:43:50 am
Rainer, do you have a SLAAC type setting for your clients?

So do you suggest setting or unsetting Register link-local for 3.2.3 (and 4.0.0)?
Title: Re: Suricata error, DNS crashes
Post by: Anon87 on August 08, 2017, 10:35:28 am
An update for my situation:

It seems like the caps error in the Suricata log, was due to a change in the interface assignments. There is one onboard ethernet controller and one through PCI express. I just changed the WAN interface from the onboard controller to the PCI express one, and poof, no more caps errors.

DNS seems to be resolving now, with IPS mode on. However, it does take a while. I am doing further investigation today, as to where that may come from.
Title: Re: Suricata error, DNS crashes
Post by: Noctur on August 09, 2017, 05:05:50 pm
I had been having to reboot about 1-2x per day to recover connection - all bars green but no connection. I thought that simply what must be done.

Following this thread, I tried  Suri 3.2.2 - same reboot requirement, then reloaded 3.2.3 - same. Saw post above and realized my WAN is on an internal NIC and LAN on a PCIe NIC. Switched WAN to another PCIe NIC yesterday and haven't had to reboot since. This all with IPS and about half of the rules on. Now trying with VPN on - which has been a past issue.
Title: Re: Suricata error, DNS crashes
Post by: hutiucip on August 10, 2017, 02:40:56 pm
Hello everyone!

@franco & @ other administrators in particular, this matter with sluggish and erratic specific traffic caused by Suricata (DNS traffic for that case) sounds exactly like the problems I encountered since 17.1.4 (17.1.4 being the last stable version of OPNsense at the moment I started using it), problems with RDP (port 3389) and with Veeam back-up/ copy/ transfer traffic: no log traces in either of FW log or IPS log, but both services are massively impacted by enabling IPS. With only IDS, or with Suricata completely disabled, no problems. I have found out that for RDP the cause is the ruleset "ET-Emerging DOS" (maybe a single one rule, or a few rules in the ruleset, I don't know, I didn't dig it further...) and no ideea up to now about Veeam traffic.

And now DNS traffic seems to be impacted by enabling IPS, in the same massive and erratic way... :/ It might be one rule, or a few of them, in one or more then one rulesets (ill written rules, maybe, since they don't leave any traces in the log files? :-? ), or might be some bug(s) in the engine of Suricata itself.

I have a few replies I have written over the last few months regarding these problems, and here are a few links to those replies:

https://forum.opnsense.org/index.php?topic=3639.msg21340#msg21340 (https://forum.opnsense.org/index.php?topic=3639.msg21340#msg21340)

https://forum.opnsense.org/index.php?topic=5323.msg21620#msg21620 (https://forum.opnsense.org/index.php?topic=5323.msg21620#msg21620)

https://forum.opnsense.org/index.php?topic=3639.msg21583#msg21583 (https://forum.opnsense.org/index.php?topic=3639.msg21583#msg21583)

https://forum.opnsense.org/index.php?topic=4140.msg21270#msg21270 (https://forum.opnsense.org/index.php?topic=4140.msg21270#msg21270)

I hope it's of any help, and I wrote this lines since any info might be a lead toward the right course of action for finding the solution.

PS I didn't update to 17.7 yet, and I don't use IPS any more since a good while, as I already had problems I explained upon.
Title: Re: Suricata error, DNS crashes
Post by: Noctur on September 19, 2017, 04:56:32 am
Just tried to pkg add the older suricata: # pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.2.2.txz

Received a pkg not found message. Has it been pulled?

I'm still getting DNS drops with Unbound, Suricata 4, and running a Nord VPN instance. Suri 3.2.2 seemed to work better. I've been trying them both for several days each with the recent 17.7.2 update and was flipping back to 3.2.2.
Title: Re: Suricata error, DNS crashes
Post by: franco on September 19, 2017, 06:43:37 am
Moved here, the mirror now has a snapshot directory for each ABI:

https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/


Cheers,
Franco