Suricata error, DNS crashes

Started by Anon87, July 31, 2017, 02:55:03 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 10, 2017, 02:40:56 PM #15
Hello everyone!

@franco & @ other administrators in particular, this matter with sluggish and erratic specific traffic caused by Suricata (DNS traffic for that case) sounds exactly like the problems I encountered since 17.1.4 (17.1.4 being the last stable version of OPNsense at the moment I started using it), problems with RDP (port 3389) and with Veeam back-up/ copy/ transfer traffic: no log traces in either of FW log or IPS log, but both services are massively impacted by enabling IPS. With only IDS, or with Suricata completely disabled, no problems. I have found out that for RDP the cause is the ruleset "ET-Emerging DOS" (maybe a single one rule, or a few rules in the ruleset, I don't know, I didn't dig it further...) and no ideea up to now about Veeam traffic.

And now DNS traffic seems to be impacted by enabling IPS, in the same massive and erratic way... :/ It might be one rule, or a few of them, in one or more then one rulesets (ill written rules, maybe, since they don't leave any traces in the log files? :-? ), or might be some bug(s) in the engine of Suricata itself.

I have a few replies I have written over the last few months regarding these problems, and here are a few links to those replies:

https://forum.opnsense.org/index.php?topic=3639.msg21340#msg21340

https://forum.opnsense.org/index.php?topic=5323.msg21620#msg21620

https://forum.opnsense.org/index.php?topic=3639.msg21583#msg21583

https://forum.opnsense.org/index.php?topic=4140.msg21270#msg21270

I hope it's of any help, and I wrote this lines since any info might be a lead toward the right course of action for finding the solution.

PS I didn't update to 17.7 yet, and I don't use IPS any more since a good while, as I already had problems I explained upon.
September 19, 2017, 04:56:32 AM #16
Just tried to pkg add the older suricata: # pkg add -f https://pkg.opnsense.org/snapshots/suricata-3.2.2.txz

Received a pkg not found message. Has it been pulled?

I'm still getting DNS drops with Unbound, Suricata 4, and running a Nord VPN instance. Suri 3.2.2 seemed to work better. I've been trying them both for several days each with the recent 17.7.2 update and was flipping back to 3.2.2.
overkill: Dell SFF i5, 16gb, 120gb SSD, 4x gb NICs
OPNsense 21.1.x
September 19, 2017, 06:43:37 AM #17
Moved here, the mirror now has a snapshot directory for each ABI:

https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/


Cheers,
Franco
Print
Go Up Pages 1 2
User actions