Suricata still crashing ( please help )

Started by Julien, December 18, 2021, 10:17:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 18, 2021, 10:17:11 PM
Hi Guys.

Today is 18-12-2021 and i notice the Suricata is crashes and is not started the below log can show its been down for two days from 16 till 18.

Code Select
2021-12-18T22:04:20 suricata[75736] [100742] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-16T22:27:08 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:60755 -> 1.1.1.1:53
2021-12-16T22:26:51 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:53952 -> 1.1.1.1:53
2021-12-16T22:26:47 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:63336 -> 1.1.1.1:53
2021-12-16T22:26:46 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:55014 -> 1.1.1.1:53
2021-12-16T22:25:46 suricata[31322] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:54059 -> 1.1.1.1:53

the Audit log

Code Select
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:13:32 CET 2021
>>> Check installed kernel version
Version 21.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Code Select
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:14:57 CET 2021
vulnxml file up-to-date
python37-3.7.11 is vulnerable:
  Python -- multiple vulnerabilities
  WWW: https://vuxml.FreeBSD.org/freebsd/0e561173-0fa9-11ec-a2fa-080027948c12.html

1 problem(s) in 1 installed package(s) found.
***DONE***



if i missed something please tell me so i can share.
i cannot seems to find the cause why is this happening.

Can someone please advise as i've been struggling with this for over 3 weeks now.

Thank you
DEC4240 – OPNsense Owner
December 19, 2021, 06:03:00 AM #1
Rollback to an earlier version.

Run in shell;
opnsense-revert -r 21.7.5 suricata
December 19, 2021, 12:03:29 PM #2
Just out of curiosity: does it happens during/after the updates of the rules?

I have the problem that IPS does not start again after rule set updates (no matter of automatic or manual via GUI). I have to start it manual.
OPNsense consulting, installation, configuration and care by DU Consult
December 19, 2021, 07:33:56 PM #3
Quote from: dennis_u on December 19, 2021, 12:03:29 PM
Just out of curiosity: does it happens during/after the updates of the rules?

I have the problem that IPS does not start again after rule set updates (no matter of automatic or manual via GUI). I have to start it manual.

the only log i could see are what i already uploaded. can i see it somewhere?
DEC4240 – OPNsense Owner
December 19, 2021, 07:35:13 PM #4
Quote from: autone on December 19, 2021, 06:03:00 AM
Rollback to an earlier version.

Run in shell;
opnsense-revert -r 21.7.5 suricata

Rollback isnt going to make things even worse?
i would like to know if this just me ?
this box been running fine from 17. and i've been updating it sinds than.
DEC4240 – OPNsense Owner
December 19, 2021, 08:12:44 PM #5
It should be reverted with 21.7.7, can you try this? Do you run suri in Vlan assigned interfaces?
December 20, 2021, 10:24:31 AM #6
Quote from: Julien on December 19, 2021, 07:33:56 PM
the only log i could see are what i already uploaded. can i see it somewhere?

Have a look under System > Settings > Cron. Is there are job with the command "Update and reload intrusion detection rules"? When is is run?
OPNsense consulting, installation, configuration and care by DU Consult
January 04, 2022, 04:42:58 PM #7
Enough Ram? Mine just deactivated itself while eating itself up to 93% RAM usage. Enabling swap helped.
January 19, 2022, 12:02:31 AM #8
I am experiencing the same, at least in the frontpage of the GUI it is not running. And neither according to "Alerts" (nothing is showing, whereas under normal circumstances alerts are showing something, from day to day).

There is no indication in the log of Suricata that it has stopped.

* OPNsense 21.7.7-amd64

Running in promiscious mode and on VLANs. This is a small firewall, AMD GX-412TC SOC (4 cores) and 4GB of RAM - but it has worked flawlessly up until right before Christmas? or so?
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
January 19, 2022, 09:36:47 AM #9 Last Edit: January 19, 2022, 10:52:21 AM by koushun
* Suricata version 6.0.4 RELEASE running in SYSTEM mode

Disabling IPS makes it start OK; front page landing says it is up and running.

Enabling IPS seems to break it; I get these errors:
Code Select

2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 6 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs


I am running Suricata with an et_telemetry.token.

After trying to enable Suricata with IPS, I eventually get the following popup window:
Code Select

Error reconfiguring IDS
error Installing ids rules ()


Maybe I'll try to search for those specific signatur IDs listed above and try to disable those specific rules?

Those signatures above belonged to emerging-malware.rules and emerging-exploit.rules. Disabling those seems to do the trick!

Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
Print
Go Up Pages1
User actions