Suricata/Intrusion Detection stops soon after start

Started by JohnnyBeee, September 02, 2023, 01:38:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 02, 2023, 01:38:36 AM Last Edit: September 02, 2023, 02:01:05 AM by JohnnyBeee
OPNsense 23.7.3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023


Hi guys.

I don't know since when, possibly since a recent firmware upgrade, Suricata stops all the time, after displaying quite a few warnings, with this error:
[100549] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:igb0-0/R@conf:host-rings=2 failed: Invalid argument

Note: I tried attaching Suricata to igb1 and the problem is the same.
There is no interface igb0-0. The WAN interface is igb0 and I have not changed anything since it worked last (possibly just a firmware upgrade).

Suricata worked perfectly before! - Until Aug 6 at least
Health Audit is fine.

Any ideas what could be wrong and how to fix this?

Thanks for any help.
September 02, 2023, 02:26:31 PM #1
I have posted a similar problem :
Intrusion Detection stops after 1 minute

Assumed my issue was related to "changing to VLAN"  but maybe it is related to what you are reporting?
September 04, 2023, 03:22:03 AM #2
Quote from: ddt3 on September 02, 2023, 02:26:31 PM
I have posted a similar problem :
Intrusion Detection stops after 1 minute

Assumed my issue was related to "changing to VLAN"  but maybe it is related to what you are reporting?

Thanks, but your issue is not related.
September 04, 2023, 03:31:21 AM #3
This seems solved now.

I went through the system log and happened on this error:
Notice   kernel   518.293049 [2226] netmap_buf_size_validate error: using NS_MOREFRAG on igb0 requires netmap buf size >= 4096
I opened a thread for this: https://forum.opnsense.org/index.php?topic=35745.msg173952#msg173952

Once I had set netmap buf size to 4096 and restarted the WAN interface, Intrusion detection/Suricata started normally again.
Print
Go Up Pages1
User actions