OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Suricata crashing
« previous next »
  • Print
Pages: [1]

Author Topic: Suricata crashing  (Read 2754 times)

jan.stasik

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Suricata crashing
« on: September 06, 2023, 12:00:32 pm »
Hello,
I am Currently running OPNsense 23.4.2, Business Edition, running it on ESXi. After the upgrade to this version Suricata is crashing after some time when is enabled. Here is what i see in logs. VMX1 is my internet facing port.
How can be this fixed? And how to get rid of warnings.

   
2023-09-06T11:56:59   Error   suricata   [107240] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:vmx1/R failed: Invalid argument   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.   
2023-09-06T11:54:11   Warning   suricata   [100483] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
Logged

Monju0525

  • Jr. Member
  • **
  • Posts: 51
  • Karma: 6
    • View Profile
Re: Suricata crashing
« Reply #1 on: September 23, 2023, 03:21:28 pm »
I also get

 App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
Logged

labsy

  • Jr. Member
  • **
  • Posts: 59
  • Karma: 1
    • View Profile
Re: Suricata crashing
« Reply #2 on: September 26, 2023, 12:06:02 am »
Me to....when starting IPS/IDS.
I tried to reinstal, but seems like a lot of config conflicts:

Code: [Select]
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain"; flow:established,to_server; http.host; content:".servequake.com"; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains/; classtype:bad-unknown; sid:2042817; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_t" from file /usr/local/etc/suricata/opnsense.rules/emerging-info.rules at line 8730
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
Logged

labsy

  • Jr. Member
  • **
  • Posts: 59
  • Karma: 1
    • View Profile
Re: Suricata crashing
« Reply #3 on: September 26, 2023, 03:54:45 pm »
I tried reinstalling suricata module, disabling and reenabling it...and now I get a bunch of other errors. Could this be related to ACME LE module? It is only used to get rid of SSL warning when acessing Web GUI.

Code: [Select]
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> [90.164.29.160] 338" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 45468
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qinwilrlju" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 40720
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 7533
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_DIRECTION(189)] - "" is not a valid direction modifier, "->" and "<>" are supported.
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox bot" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 19387
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
Logged

JL

  • Newbie
  • *
  • Posts: 42
  • Karma: 1
    • View Profile
    • commandline services
Re: Suricata crashing
« Reply #4 on: January 15, 2024, 06:09:08 pm »
original comment removed

this requires modifying the suricata.yaml file to include the correct sections for the mentioned App-Layer protocols which are missing, this is a best practice since the behavior will change in the future and the protocols will no longer be auto-enabled


"This behavior will change in Suricata 7, so please update your config"



if you have not tweaked the suricata.yaml file, consider looking for a suricata.yaml from a more recent versions


check if these sections are present as such in suricata.yaml, consider adding them at the appropriate place


 #- dnp3
        - dcerpc
        - ftp
          #- ikev2   
        - krb5
        - nfs
        - rdp
        - rfb
        - sip
        - smb
        - snmp
        - tftp
        - dhcp:
           ......



    # Note: parser depends on Rust support
    ntp:
      enabled: yes


    dhcp:
      enabled: yes


    sip:
      enabled: yes
    http2:
      enabled: yes
    snmp:
      enabled: yes
    rfb:
      enabled: yes
    mqtt:
      enabled: yes
    rdp:
      enabled: yes
« Last Edit: January 27, 2024, 10:19:35 pm by JL »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Suricata crashing
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2