[Solved]:Intrusion Detection stops after 1 minute

Started by ddt3, September 01, 2023, 10:00:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 01, 2023, 10:00:31 AM Last Edit: September 24, 2023, 10:42:39 AM by ddt3
I now discover that I have not been running Intrusion Detection for quite some time.
When I start the service this is in the log:
Code Select
2023-09-01T09:12:07 Error suricata [120679] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:vlan0.300/R failed: Invalid argument
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Notice suricata [100503] <Notice> -- This is Suricata version 6.0.13 RELEASE running in SYSTEM mode

I am running OPNsense 23.7.3-amd64 on actual hardware, 4 network ports based on  Intel I-225V
This is my interface assignment:


I think the problem started when I switched from VDSL (OPNsense connected to internet via VSDL Modem) to Fiber (OPNSense connected directly to Huawei Media Converter, using vlan0.300), so my OPNsense hardware did not change but the environment did.

I have  all hardware offloading switched off including vlan (and did not change that when switching to fiber).

Hope that with some help I can get IPS working again!
September 11, 2023, 03:52:14 PM #1
Bump..
September 11, 2023, 05:17:04 PM #2
Does Suricata work on VLANs now?
September 11, 2023, 05:23:12 PM #3
i had this issue last year, i've been working with the support team and they couldnt fix it.
i give up using it.
now i am using Firewall Alias.
DEC4240 – OPNsense Owner
September 19, 2023, 10:42:36 AM #4
Same issue here: if IPS is activated and a VLAN interface is added to the "interfaces field", the service crashes.

Debug log messages are useless:

Quote
2023-09-19T10:30:19   Error   suricata   [154938] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:vlan0.2/R failed: Invalid argument   
2023-09-19T10:30:19   Informational   suricata   [100337] <Info> -- Going to use 1 thread(s)   
2023-09-19T10:30:19   Debug   suricata   [100337] <Perf> -- Using 1 threads for interface vlan0.2   
2023-09-19T10:30:19   Informational   suricata   [100337] <Info> -- Disabling promiscuous mode on iface vlan0.2^   
2023-09-19T10:30:19   Informational   suricata   [100337] <Info> -- Disabling promiscuous mode on iface vlan0.2   

Hardware offloading is disabled, same for VLAN hardware filtering. Tried with and without Promiscuous mode, same result.

The only way to avoid this is to tick/disable "IPS mode", but this turns off traffic blocking...

This is really annoying...
September 19, 2023, 11:51:44 AM #5 Last Edit: September 19, 2023, 11:59:53 AM by ddt3
Quote from: cookiemonster on September 11, 2023, 05:17:04 PM
Does Suricata work on VLANs now?

Your reply made me recheck what the documentation says about VLAN, so I had another look and  the documentation does state:
"Interfaces to protect.  | When in IPS mode, this need to be real interfaces supporting netmap. (when using VLAN's, enable IPS on the parent)"

So I removed vlan from interfaces and added icg3 and now with it keeps running even with IPS switched on. Not sure why it did not work the previous time I tried this but I am sure I just messed up.
Print
Go Up Pages1
User actions