Suricata can`t start in IPS mode

Started by jaylow, March 10, 2023, 09:54:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2023, 09:54:40 PM
Hi,

on my installation with opnsense 23.1.3 and suricata 6.0.9_1 i can not start suricata in IPS mode with more than two interfaces.

The following error was logged:
... [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igbX/T failed: Cannot allocate memory

"sysctl -a | grep -i netmap" shows
netmap_obj_malloc         no more netmap_buf objects
netmap_new_bufs           no more buffers after 581 of 1024
netmap_mem2_rings_create  Cannot allocate buffers for RX_ring

Finally the active settings for netmap (should be the default ones):
dev.netmap.iflib_rx_miss_bufs: 3786
dev.netmap.iflib_rx_miss: 2000
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 10823
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0

The nics are Intel i350 and i210. Promiscuous mode is deactivated. Zenarmor is not installed.

Maybe this problem is relatable with this one: https://redmine.openinfosecfoundation.org/issues/5744

Many thanks in advance ;-)

Regards,
Josef
January 16, 2024, 06:05:23 PM #1
check my post here (both IPS and IDS are working now)
if need be I can help out debugging this issue[/size]https://forum.opnsense.org/index.php?topic=38140.0the main issue of Suricata failing or not failing are MTU inconsistenciesThere's a typical overhead (8 bytes for Windows / 22 bytes for Linux) to consider but bridges and ppp also add overhead.So, if you start with the default MTU of 1500 (1518) or have  jumbo frames (<=9000 MTU) this will have great effect.I can say with confidence this approach works. Suricata is now up 100% of the time since 24 hours.[/size][/font]
Print
Go Up Pages1
User actions