Messages

1

24.7 Production Series / Re: IPS mode in Suricata causes kernel panic

« on: July 30, 2024, 11:47:00 am »

No probs, appreciate the feedback, thank you

2

24.7 Production Series / Re: IPS mode in Suricata causes kernel panic

« on: July 30, 2024, 11:13:25 am »

Oh dear, appreciate it's a FreeBSD issue potentially, one of my impacted gateways is a paid subscription in AWS, is there any scope to accelerate any troubleshooting/patching? The IPS feature for this gateway is quite important sadly.

Many thanks.

3

24.7 Production Series / Re: IPS mode in Suricata causes kernel panic

« on: July 30, 2024, 10:40:20 am »

Thanks Franco

I see 24.7_9 is now out, is this patch rolled into 24.7_9 also?

4

24.7 Production Series / Re: IPS mode in Suricata causes kernel panic

« on: July 27, 2024, 10:25:43 am »

My bad, apologies, I've updated my original post with the complete ouput.

5

24.7 Production Series / Re: IPS mode in Suricata causes kernel panic

« on: July 27, 2024, 01:13:03 am »

+1 for me also, running in AWS 24.7_5 on a t2.large. As soon as I disable IPS, the reloads no longer persist.

Code: [Select]

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 02
fault virtual address = 0x30
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80a0f15f
stack pointer         = 0x28:0xfffffe00f4ef18e0
frame pointer         = 0x28:0xfffffe00f4ef1970
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 93696 (W#01-xn0^)
rdi: fffff80004e75000 rsi: fffff80004cd1c00 rdx: fffff80004cd1c00
rcx: fffff80003e97c00  r8: 000000000000003d  r9: 0000000000000800
rax: 00000000000000ff rbx: fffffe00d917f000 rbp: fffffe00f4ef1970
r10: 0000000000000301 r11: fffff80271e38c60 r12: 0000000000000000
r13: fffff80003b43800 r14: fffffe00f4ef1944 r15: fffff80004cd1c00
trap number = 12
panic: page fault
cpuid = 1
time = 1722034585
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00f4ef15d0
vpanic() at vpanic+0x131/frame 0xfffffe00f4ef1700
panic() at panic+0x43/frame 0xfffffe00f4ef1760
trap_fatal() at trap_fatal+0x40b/frame 0xfffffe00f4ef17c0
trap_pfault() at trap_pfault+0x46/frame 0xfffffe00f4ef1810
calltrap() at calltrap+0x8/frame 0xfffffe00f4ef1810
--- trap 0xc, rip = 0xffffffff80a0f15f, rsp = 0xfffffe00f4ef18e0, rbp = 0xfffffe00f4ef1970 ---
xn_txq_mq_start_locked() at xn_txq_mq_start_locked+0xdf/frame 0xfffffe00f4ef1970
xn_txq_mq_start() at xn_txq_mq_start+0x76/frame 0xfffffe00f4ef19a0
nm_os_generic_xmit_frame() at nm_os_generic_xmit_frame+0xa0/frame 0xfffffe00f4ef19f0
generic_netmap_txsync() at generic_netmap_txsync+0x3a2/frame 0xfffffe00f4ef1ae0
netmap_ioctl() at netmap_ioctl+0x1a7/frame 0xfffffe00f4ef1bb0
freebsd_netmap_ioctl() at freebsd_netmap_ioctl+0x79/frame 0xfffffe00f4ef1bf0
devfs_ioctl() at devfs_ioctl+0xcb/frame 0xfffffe00f4ef1c40
vn_ioctl() at vn_ioctl+0xce/frame 0xfffffe00f4ef1cb0
devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe00f4ef1cd0
kern_ioctl() at kern_ioctl+0x255/frame 0xfffffe00f4ef1d40
sys_ioctl() at sys_ioctl+0xff/frame 0xfffffe00f4ef1e00
amd64_syscall() at amd64_syscall+0x100/frame 0xfffffe00f4ef1f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00f4ef1f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x829f2e5fa, rsp = 0x844b94df8, rbp = 0x844b94e20 ---
KDB: enter: panic

6

24.1 Legacy Series / Suricata IPS Block Bad Actors - Add to Firewall Alias Group

« on: May 19, 2024, 09:19:17 pm »

Hi.

Long timer listener, first time caller

Is it possible to add some automation in to add a bad actor source IP from Suricata /var/log/suricata/eve.json and to add the offending IP into a Firewall alias group?

Perhaps using Monit, Shell Script, Cron, Fail2Ban or some API call?

I think this would be an invaluable feature, and would save me from manually logging to reduce/secure the attack surface.

Many thanks.