Suricata still crashing ( please help )

[Julien]

Hi Guys.

Today is 18-12-2021 and i notice the Suricata is crashes and is not started the below log can show its been down for two days from 16 till 18.

Code: [Select]

2021-12-18T22:04:20 suricata[75736] [100742] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-16T22:27:08 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:60755 -> 1.1.1.1:53
2021-12-16T22:26:51 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:53952 -> 1.1.1.1:53
2021-12-16T22:26:47 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:63336 -> 1.1.1.1:53
2021-12-16T22:26:46 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:55014 -> 1.1.1.1:53
2021-12-16T22:25:46 suricata[31322] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:54059 -> 1.1.1.1:53
the Audit log

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:13:32 CET 2021
>>> Check installed kernel version
Version 21.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:14:57 CET 2021
vulnxml file up-to-date
python37-3.7.11 is vulnerable:
  Python -- multiple vulnerabilities
  WWW: https://vuxml.FreeBSD.org/freebsd/0e561173-0fa9-11ec-a2fa-080027948c12.html

1 problem(s) in 1 installed package(s) found.
***DONE***


if i missed something please tell me so i can share.
i cannot seems to find the cause why is this happening.

Can someone please advise as i've been struggling with this for over 3 weeks now.

Thank you

[autone]

Rollback to an earlier version.

Run in shell;
opnsense-revert -r 21.7.5 suricata

[dennis_u]

Just out of curiosity: does it happens during/after the updates of the rules?

I have the problem that IPS does not start again after rule set updates (no matter of automatic or manual via GUI). I have to start it manual.

[Julien]

Just out of curiosity: does it happens during/after the updates of the rules?

I have the problem that IPS does not start again after rule set updates (no matter of automatic or manual via GUI). I have to start it manual.

the only log i could see are what i already uploaded. can i see it somewhere?

[Julien]

Rollback to an earlier version.

Run in shell;
opnsense-revert -r 21.7.5 suricata

Rollback isnt going to make things even worse?
i would like to know if this just me ?
this box been running fine from 17. and i've been updating it sinds than.

[mimugmail]

It should be reverted with 21.7.7, can you try this? Do you run suri in Vlan assigned interfaces?

[dennis_u]

the only log i could see are what i already uploaded. can i see it somewhere?

Have a look under System > Settings > Cron. Is there are job with the command "Update and reload intrusion detection rules"? When is is run?

[Bogotrax]

Enough Ram? Mine just deactivated itself while eating itself up to 93% RAM usage. Enabling swap helped.

[koushun]

I am experiencing the same, at least in the frontpage of the GUI it is not running. And neither according to "Alerts" (nothing is showing, whereas under normal circumstances alerts are showing something, from day to day).

There is no indication in the log of Suricata that it has stopped.

* OPNsense 21.7.7-amd64

Running in promiscious mode and on VLANs. This is a small firewall, AMD GX-412TC SOC (4 cores) and 4GB of RAM - but it has worked flawlessly up until right before Christmas? or so?

[koushun]

* Suricata version 6.0.4 RELEASE running in SYSTEM mode

Disabling IPS makes it start OK; front page landing says it is up and running.

Enabling IPS seems to break it; I get these errors:

Code: [Select]

2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 6 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs

I am running Suricata with an et_telemetry.token.

After trying to enable Suricata with IPS, I eventually get the following popup window:

Code: [Select]

Error reconfiguring IDS
error Installing ids rules ()

Maybe I'll try to search for those specific signatur IDs listed above and try to disable those specific rules?

Those signatures above belonged to emerging-malware.rules and emerging-exploit.rules. Disabling those seems to do the trick!