[SOLVED?]errors & strange behavior opnsense 22.1.1_1 ->Suricata fix:uncheck IPS

[TritonB7]

@Franco
After trying by trial and error a lot of things I found in Suricata this error:
Stats for 'igb0^': pkts: 0, drop: 0 (nan%), invalid chksum: 0

I did a google, found an old opnsense forum mentioning something about setting Suricata  Pattern matcher from hyperscan (what I use on my opnsense Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz (4 cores, 4 threads)
changed it to Aho-Corasick
saved and than the weird stuff ended, all working as should... but again.. after just some minute(s) all strange things are back.

changed the setting back to Hyperscan,
saved and than the weird stuff ended again, all working as should. but again, after just some minute(s) strange things as described started again.

So I think with my trial and error, it seems related to Suricata? Or changing config in Suricata refreshes "something" in opsense what "solves" the problem for some minutes....

Hope this helps the searching direction...

I'm having similar errors, but I'm not using Suricata. I am using Zen Armor though for LAN.

[phantomsfbw]

Posted in a different thread earlier today of strange issues with Suricata shutting off in IPS mode shortly after it starts up. Tried changing from Hybrid mode and that did not change anything either.  Rebooted many times in between as well.  Verified WAN IP was properly entered as well  This is the log entry I am seeing:

Error   suricata   [116410] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:ix0/R failed: Device busy

I can reduce Suricata service to IDS only mode and I don't see this error in the log.

Running UNBOUND with DLS/TLS without issue.  Also running ZENARMOR without issue.

No VLANS so no Promiscuous Mode.

[RamSense]

to fix the current strange behavior it works with:

Suricata
Intrucion detection - administration - settings - uncheck IPS mode
Intrucion detection - administration - settings - uncheck Promiscuous mode

so the problem seems to be there indeed.

P.s. opnsense 22.1.1_3: problem still there

[guest31184]

Can you check if it might be related to the topic raised here:
https://forum.opnsense.org/index.php?topic=26583.15

Do you have any VLANs? With this in my setting, I have major problems with scuritata, but also sensei is not running 100% stable. So currently I run with both deactivated.

[RamSense]

seems like the same category.
I do not use VLAN's so I disabled/unchecked Promiscuous mode
after safe, all works for some time, but after a few minutes back to weirdness again. only when  IPS mode unchecked it keeps stable...

[jclendineng]

Suricata works fine for me but sensei does not, suricata runs on my WAN only so no vlans which explains why it works. Sensei DOES run on vlans (LAN network, so it runs on all vlans I have under LAN). So maybe the issue is with vlan handling in the new update...hmmm

[RamSense]

wel unfortunately I run suricarta also only on WAN and have the problems. So I can confirm it is not VLAN only.
Sensei/Zenarmor running on LAN did not automatically start, but works after manually starting. No problems there other than not auto booting.

When I see this mentioning in the system - log files - general:
Critical   dhclient   exiting.   
Error   dhclient   connection closed

the strange behavior starts

---

Looking and searching all I can on google and opnsense etc.. found several mentioning errors like this in previous version and regarding Suricata / lost WAN / .. seems a bit the same, but I have no clue or knowledge how to fix this other than to shutdown Suricata....

[RamSense]

I noticed this error now in the log:
unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 502)

When googling I found 1 mention with error code 403 about the Suricata token - check validity

could this be related?

---
when weird things happen and I go to terminal
ping pkg.opnsense.org -> works
pkg update -f -> works
pkg upgrade -n -> works

when fetch https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/changelog.txz.sig
it stalls. when I go back to the gui to Suricata and change a config setting (so that I have the system back on for a minute or so) and go to terminal fetch https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/changelog.txz.sig it works
1332  B   20 MBps    00s

seems the error with Suricata and brokenpipe was there in 2020?:
https://forum.opnsense.org/index.php?topic=19432.0


so with my knowledge I come to the conclusion that Suricata is blocking / causing the errors after a minute or so. That is also why all is solved when unchecking Suricata ips... But how to go further from here to solve this?

N.B. Did drastic fresh install from terminal with opnsense-bootstrap, system back up and running, but problem still there... I'm out of options other than the conclusion it is related to Suricata with the latest opnsense

[RamSense]

Fixed it somewhat. Hope it helps others also! (and hopefully not necessary to do the opnsense-bootstrap step)

I did turnoff Suricata
Than I did a full download & update rules ( I noticed those were still from feb the 16th and did not get updated anymore)

after that I started Suricata with IPS enabled

System running since than!

I still noticed this error in the log:
/send_telemetry.py   unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 502)
2022-02-19T14:04:59   Error   configd.py   unable to sendback response [OK ] for [ids][restart][None] {1888eb52-63ee-4e3f-a33b-cb3f954979b7}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe   
2022-02-19T14:04:48   Error   configd.py   Timeout (120) executing : 'ids' restart

[phantomsfbw]

So I finally figured it out!  In the recent OPNSense update 22.1.1_3, it dumped the Protected Interface under Zen Armor.  Once I reset the interface to LAN, the Suricata IPS setting now sticks to On!!  Now I wonder what else has not carried over from before the update....