Suricata worked for months but now crashes 4 minutes after startup [SOLVED]

[lorem]

I originally installed Suricata and I often checked to see if there were any results and it was always running. Now I just noticed it had crashed a month ago. One thing I saw in the log was it ran out of memory.

To solve this I just upgraded from 2GB to 8GB. Then I did a complete upgrade to OPNsense v24.1.4 and Suricata 7.0.4.

It still crashes but without the memory issue. Under Interfaces -> WAN the MTU is 1500. I do not know what "HW rings count" is.

Code Select Expand

2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- Engine initialization failed, aborting...
2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- thread "W#01-run0_wlan1" failed to initialize: flags 0145
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1^
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1^ failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "tls", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "http", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)

[lorem]

This was solved by plugging the USB WiFi in and enabling it in Interfaces. It was previously disabled in and removed. I want to do that during long periods when it is not in use to decrease the firewall attack surface, and while keeping Suricata running.

[Greg_E]

Are you monitoring your various LAN or monitoring WAN? Still odd that disconnecting an interface (assuming you monitor more than that one USB device) would cause it to freeze.

You might try moving it to monitor WAN, then it shouldn't care about your other interfaces. You do lose some data like this, that being which device is producing the traffic that gets blocked, but it might solve the issue.

[lorem]

Thank you, that is very likely the solution. In Intrusion Detection: Administration -> Interfaces I will uncheck the OPT1 (WiFi) option when I disable WiFi next time and verify that Suricata does not quit.

I will test this later because in the past I have had to reboot the system to get the USB WiFi to work again. I will post a result in a few days.

[Greg_E]

Mine was really slow this morning, I need to look into that, was working fine yesterday.

And by slow I mean looking at the alert tab to see what has happened and what I might need to modify. Only 3 days with students back from break so I'm still tuning a lot of things.

[lorem]

[SOLVED] Suricata is still up and reporting no problems. WiFi  dongle was disabled in main section Interfaces and the fix was to disable it in Services -> Intrusion Detection -> Administration -> interfaces.