suricata deaktivates itself

Started by Bogotrax, December 27, 2021, 07:53:23 PM

Previous topic - Next topic
December 27, 2021, 07:53:23 PM Last Edit: December 27, 2021, 10:03:09 PM by Bogotrax
Hello folks, may I be forgiven, that I posted this one in the german channel too.
the thread title actually says it. I activated the IDS / IPS service suricata and after about 15-20 minutes the service is automatically deactivated. What can this be related to?
The logfiles don't really tell something

2021-12-27T10:05:29 suricata[45842] [100140] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-27T09:43:11 suricata[76496] [100343] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-26T22:48:15 suricata[53046] [100116] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-26T22:10:52 suricata[77437] [100118] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-26T21:33:18 suricata[29964] [100140] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode

Here are Hard- and software parameter:


Versions OPNsense 21.7.7-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
Updates Click to check for updates.
CPU type AMD GX-412TC SOC (4 cores)

Service Description Status
configd System Configuration Daemon
cron Cron
dhcpd DHCPv4 Server
login Users and Groups
ntpd Network Time Daemon
pf Packet Filter
routing System routing
suricata Intrusion Detection
sysctl System tunables
syslog-ng Syslog-ng Daemon
unbound Unbound DNS
webgui Web GUI

     Interfaces of the service and configuration


Services: Intrusion Detection: Administration
Enabled (checked)

IPS mode (unchecked)

Promiscuous mode (unchecked)

Enable syslog alerts (checked)

Enable eve syslog output (unchecked)

Pattern matcher (Aho-Corasick)

Interfaces (WAN)

Rotate log (Daily)

There was a german reply, that was interesting so I add it. In how far can this correlate - I don't have these services I guess. "Do you still have Sensei / Zenarmor or netflow active at the same time?"
Did a reset of password - same problem / behaviour.
Can I influence the behavior or activate the service permanently?
Problem: the problem is apparently, that suricata consumes too much memory for the system to handle - what can i do?

i have exactly the same issue.
i dont beleive its related to the memory as i have a box running
Intel(R) Xeon(R) CPU E3-1265L V2 @ 2.50GHz (8 cores)
and 32GB of RAM.

but every 15 /20 min its disable it self.i've looked in the logs but nothing shows why its disactivated.

for the time being i've removed it untill some lights turns on.
DEC4240 – OPNsense Owner

Thanks for the feedback. Could you find a solution to the problem? After I increased the RAM through swap the problem was seen less often. But in your case RAM definately doesn't seem to be the problem.