[SOLVED] Intrusion Detection (suricata) keeps exiting

[Aergan]

Hi, I had this problem with the last few versions of 16.7 but it's still present in 17.1.1 in that suricata keeps exiting after 15~500 seconds.

Code Select Expand

Feb 13 09:10:00 kernel: pid 21502 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:09:18 configd.py: [dc6e5d2e-e377-4dbc-b00f-751ecaa3024c] get suricata daemon status
Feb 13 09:09:16 configd.py: [4ce7e5ed-731a-4bff-a945-98bcbab50da9] start suricata daemon
Feb 13 09:09:16 configd.py: [f3452e49-e5ec-44d8-93da-8dcc8c219cc5] install suricata rules
Feb 13 09:09:15 configd.py: [91bd5288-a8f7-4bb1-8733-25e0b207f888] get suricata daemon status
Feb 13 09:09:02 configd.py: [f4e9e1b0-5bc5-4257-ada1-c7c65a144be0] get suricata daemon status
Feb 13 09:08:34 kernel: pid 48719 (suricata), uid 0: exited on signal 4 (core dumped)
Feb 13 09:07:33 configd.py: [c25d9c01-5880-426c-8a35-da259d2303b6] get suricata daemon status

All hardware acceleration options are turned off

OPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017

[bartjsmit]

What network cards do you have? Suricata only started working reliably for me after I switched to Intel NICs.

Bart...

[Aergan]

It's a Generation 1 VM running under Hyper-V 2012 R2

[morpheus65535]

Have you found a solution to your problem? I got the same thing on VMware ESXi 6.0 with Intel e1000 interfaces.

[franco]

Hi morpheus,

Have a look at the relevant twitter conversation with details and workarounds:

https://twitter.com/opnsense/status/833638286753153024

17.1.2 may fix this permanently now that Hyperscan and Suricata have added runtime detection.

Symptoms: old host CPU that does not support SSSE3 instructions + amd64.


Cheers,
Franco

[morpheus65535]

Hi franco,

I confirm that installing suricata-no-hs-3.2 seems to prevent that issue.

Thank you!

[franco]

Purrfect!

[Aergan]

All working still after the upgrade to 17.1.2 as well :)

[morpheus65535]

I confirm! :-)

[franco]

Trivia: turnaround time for this bug is approx. 8 months including fixes in two upstream projects. :)

Thank you both for the feedback.

[pbolduc]

Hi there,

I submitted a bug report upon the first Kernel crash after attempting to enable Suricata which was running version 17.1.1. I have since upgraded to 17.1.2 and the crash no longer occurs, however the service still fails to start. Here is what the logs show me:

Feb 23 18:13:09    configd.py: [dae4acf2-35ab-4802-b84c-f3f7dd1e5143] start suricata daemon
Feb 23 18:13:09    root: /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
                              configd.py: [419a761d-f4c8-4e1a-8051-003c3c8005ec] returned exit status 1

OPNSense is running in an ESXI 6 VM (32Bit) FreeBSD Guest environment and the processor is a Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz with my WAN network card being an Intel E1000. I have tried starting the service with either: Hyperscan or  Aho-Corasick with no luck. I'm attempting to use the Intrusion Detection with only a single custom rule: Only Allow Traffic from North America. Thanks for your time.

Regards,

[netranger]

Hi,

Have you tried deleting your custom rule and activating the OPNSense-test-rule instead? Just to see if it is related to your custom rule?

Regards

[pbolduc]

Thanks, I just tried that, I didn't even know there was a test rule. However, it still produces the same result with only the test rule enabled the service remains disabled.

[franco]

Can you post the contents of suricata log?

# cat /var/log/suricata.log


Cheers,
Franco

[pbolduc]

Please see the attached screenshot from the command you provided. Thanks!