Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked

[Wuensch-AG-Adm]

Dear OPNSense community,

we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs

Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)

We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.

Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.

All the services are green.

I cannot explain what is happen, but for a Business license, I think this version has a bug!

I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!

example:
__timestamp__   2024-11-22T08:31:43
ack   3809070810
action    [block]
anchorname   
datalen   0
dir    [in]
dst   XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport   48012
ecn   
id   4409
interface   bridge0
interface_name   BRG
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   
src   XX.X.XXX.XXX (Nextcloud)
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   506

The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7

Could please help me

Thank you in advance!

Regards,

Joel.

[Wuensch-AG-Adm]

Dear OPNSense community,

I've found that as the disk where full. The OPNsense wasn't really available anymore for the rest of the network. I've received some E-mail alerts that to processor of the appliance overloaded. The appliance was bought this year it's a Deciso 3842 AMD EPYC 8GB 256GB M.2.

The communication between our cluster and backup NAS were broken. Problems cascaded from one to the next.

I think something wrong is happened after the upgrade on the version 24.10_7 suricata is indeed integrated in OPNsense. I've deleted the old log, but we still have a problem with the IDS - a flooding of the following information.
bridge0^: error reading netmap data via polling: No buffer space available

Now it could be really interesting to know why this have change between the version of the OPNsense system.

Regards,

Joel.


Ps: I've already setup the log for the IDS to get really smaller but it's not the solution.

[Wuensch-AG-Adm]

Update:
In the Intrusion Detection I have to choose the WAN interface even I've use only a bridge.
Is this a bug or a design problem?
Now the log has gone silent.

Someone can explain me? and I repeat there was  nothing like that before the upgrade.