Messages

31

Intrusion Detection and Prevention / Capture Filters BPF

« on: October 07, 2019, 11:49:27 pm »

Is there any way to setup Capture Filters (BPF) in Suricata? Or is that something that has to be added to the code
I would like to ignore some hosts.

See here.
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html

32

Intrusion Detection and Prevention / Re: Suricata memory crash

« on: October 07, 2019, 12:12:24 am »

It does seem as though the Suricata package is not functioning correctly. This may be attributed to the fact that I have just been applying updates to this box since version 18.1
I threw together a test box and suricata seems to be working normal on it, but it isn't live and has no traffic.
I will report back when I get my new system and move my production to it with a clean rebuilt OPNsense. And no, I won't do a restore.

33

19.7 Legacy Series / reinstall Suricata

« on: October 06, 2019, 12:57:23 am »

I tried reinstalling Suricata because of some missing dependencies, but it didn't replace the missing files such as suricata.yaml and some others.
How do I reinstall the full package?

This all started due to problems I was having with Suricata and I was thinking to reinstall it to put back all of the default files since I have changed things over the last couple years but the default files never came back.

How do I wipe out Suricata and reinstall the complete default package? Right now Suricata is disabled.

34

Intrusion Detection and Prevention / Re: Suricata memory crash

« on: October 05, 2019, 10:40:31 pm »

Anyone? Is this a known issue yet? Seems others are seeing Suricata memory spikes also.

Looking over the changelog, I do not see any changes to the Suricata version since 19.7.2, so it must have something to do with the way OPNsense interfaces with Suricata.

My next plan of attack is to setup a new firewall and start from scratch. I should have the new hardware next week.

35

19.7 Legacy Series / Re: High memory usage

« on: October 02, 2019, 05:18:17 pm »

Thank goodness others are seeing this too. I do not have the luxury of constantly 'rebooting' as I have over a hundred business users with websites and email to answer to. I will just not use Suricata until a patch is released to fix this.

36

Intrusion Detection and Prevention / Suricata memory crash

« on: October 01, 2019, 05:54:42 pm »

This issue came up in another thread but I feel this topic got lost in there and is better suited in this category. Sorry in advanced for this.

The moment I upgraded from 19.7.2 to 19.7.4_1 I have had multiple memory usage spikes causing Suricata service crashes everyday. Never had this happen before the upgrade

I have tried changing Hyperscan to Default and removing some rulesets. I am down to one ruleset now and Suricata service still crashes eventually. There must be a memory leak problem or something similar. I have also tried reinstalling Suricata.

If the Suricata service stops or resets for any reason, the connection to the internet fails. But that has always been like that. The only way to fix it after a Suricata service restart or crash is a reboot of OPNsense.

I have not changed any rules in over a year in Suricata. This issue is a result of some change since the upgrade.
For now I have disabled Suricata and my firewall is stable.

Any suggestions?

37

19.7 Legacy Series / Re: High memory usage

« on: October 01, 2019, 02:05:37 am »

Ok, I give up Suricata has a problem. The only way I can run stable is to disable Suricata.

Suricata must have some sort of memory leak introduced with a recent update. I have been running OPNsense for over a year with the same rulesets without any issues like this. Now, the memory just eventually blows up. This has to be a bug in the Suricata package.

38

Tutorials and FAQs / Re: Monit Mini Howto

« on: October 01, 2019, 12:30:39 am »

The CPUtemp test I have laid out in a previous post no longer works.

Status never gets past 'Initializing'

If anyone knows how to fix, please share.

Thanks

39

19.7 Legacy Series / Re: High memory usage

« on: September 30, 2019, 11:45:35 pm »

Been reading earlier posts about somw rulesets that were crashing Suricata. I think this is the case again.
I am not using any of the abuse.ch rulesets

I am only using the following rulesets
ET open/ciarmy
ET open/compromised
ET open/drop
ET open/dshield
ET open/emerging-icmp
ET open/emerging-icmp_info
and my own custom ruleset which is very simple only allowing about 20 ports on one of the WAN IP's.

40

19.7 Legacy Series / Re: High memory usage

« on: September 30, 2019, 11:16:53 pm »

Suricata is the culprit. It gets to a point where it takes all the memory then the Suricata service shuts down and kills the internet.

Something between version 19.7.2 and the current version is causing this because I have not changed the Suricata rules in ages and this started the day I updated.

Is there something different with Suricata?

I did just change the Pattern Matcher from Hyperscan to default and saw the memory drop from 18% to 7% after a reboot. What am I losing by not using Hyperscan?

41

19.7 Legacy Series / Re: High memory usage

« on: September 30, 2019, 07:41:45 pm »

Thanks guys. I will run top in the console the next time it spikes.

But what is interesting is ever since I added memory, I no longer have crashes.

42

19.7 Legacy Series / Re: High memory usage

« on: September 29, 2019, 07:59:40 pm »

What did work is I doubled the memory size. Now it doesn't crash. Monit reported up to 18Gb of memory being used. Then a couple minutes later, the memory went down to 2GB.

But the big question is, why is there so much memory being used all of a sudden after the upgrade?

What can I look at to see what is using this memory? Anyone know?

43

19.7 Legacy Series / Re: High memory usage

« on: September 28, 2019, 11:13:02 pm »

Ordered a new mini firewall computer. I will limp along until then. had to restart firewall twice already today.

Is there a way to see the logs before the restart? All of them refresh and clear out on a restart.
I still don't know what is causing this. All I can say is it all started right after the last update.

44

19.7 Legacy Series / Re: High memory usage

« on: September 27, 2019, 08:36:56 pm »

Crashed on me twice this morning. This is a full crash. Even the console was dead.

Just before it crashed I got a Monit report that the mem usage was over 90%

When it restarts, all the logs are cleared, so I cannot tell what is causing this.

This is an issue that just started right after I updated to version 19.7.4_1 from 19.7.2.
memory usage all of a sudden pops up to high levels when it crashes. Normally stays at around 10%. I know this because of the Monit email report.

Suricata was disabled.

HELP...........Please............

45

19.7 Legacy Series / Re: High memory usage

« on: September 27, 2019, 06:31:18 pm »

I will try turning Hyperscan off if it happens again. I am now using 10-15% memory, which is what it normally is at. I did notice one of my newer local subnets was not included in the HOME_NETWORK list. And I was getting a DDOS attack from Germany which was being stopped by Suricata.

I think Suricata was flooded with hits and just blew up the firewall. I do notice that if I make any major changes to or restart the Suricata service. I no long have Internet and need to restart. But I assume this is normal.