OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Suricata can`t start in IPS mode
« previous next »
  • Print
Pages: [1]

Author Topic: Suricata can`t start in IPS mode  (Read 2182 times)

jaylow

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Suricata can`t start in IPS mode
« on: March 10, 2023, 09:54:40 pm »
Hi,

on my installation with opnsense 23.1.3 and suricata 6.0.9_1 i can not start suricata in IPS mode with more than two interfaces.

The following error was logged:
 ... [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igbX/T failed: Cannot allocate memory

"sysctl -a | grep -i netmap" shows
netmap_obj_malloc         no more netmap_buf objects
netmap_new_bufs           no more buffers after 581 of 1024
netmap_mem2_rings_create  Cannot allocate buffers for RX_ring

Finally the active settings for netmap (should be the default ones):
dev.netmap.iflib_rx_miss_bufs: 3786
dev.netmap.iflib_rx_miss: 2000
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 10823
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0

The nics are Intel i350 and i210. Promiscuous mode is deactivated. Zenarmor is not installed.

Maybe this problem is relatable with this one: https://redmine.openinfosecfoundation.org/issues/5744

Many thanks in advance ;-)

Regards,
Josef
Logged

JL

  • Newbie
  • *
  • Posts: 42
  • Karma: 1
    • View Profile
    • commandline services
Re: Suricata can`t start in IPS mode
« Reply #1 on: January 16, 2024, 06:05:23 pm »
check my post here (both IPS and IDS are working now)
if need be I can help out debugging this issue[/size]https://forum.opnsense.org/index.php?topic=38140.0the main issue of Suricata failing or not failing are MTU inconsistenciesThere's a typical overhead (8 bytes for Windows / 22 bytes for Linux) to consider but bridges and ppp also add overhead.So, if you start with the default MTU of 1500 (1518) or have  jumbo frames (<=9000 MTU) this will have great effect.I can say with confidence this approach works. Suricata is now up 100% of the time since 24 hours.[/size]
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Suricata can`t start in IPS mode
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2