Suricata is crashing on all firerwalls starting April 19th, 2025

Started by geotek, April 19, 2025, 01:54:24 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
June 04, 2025, 05:47:55 AM #15
Mokaz's solution worked.

As a preface, I must say I could never activate IPS with hyperscan matcher on this VM.
That VM presented some other limitations compared to its twin, almost identical, except for the CPU type.

After reading Mokaz's solution I did not go for same CPU as him but simply abandoned the KVM64, for the «Broadwell, IBRS», the one used on the almost twin VM and it solved the problem.
(and I'll keep an eye on any difference that may appear or persist between the twin VMs)

Thank You!!!

Clearly, KVM64 CPU emulation misses flags required by hyperscan to perform.

An embryo of CPU compatibility list includes:
  • Broadwell, IBRS
  • Haswell-noTSX


Quote from: mokaz on May 05, 2025, 08:28:29 AMHad the same issue, here is what fixed it for me:

  • updated the vCPU scheme of the VM from "kvm64" to "Haswell-noTSX".
  • VM power off/power on.
  • shifted the IPS engine from "Aho–Corasick Ken Steele variant" to "Hyperscan" (only possible post point #1 here).

According to the docs, Hpyerscan seems to be the best options whenever supported, I'll leave it at that here.
https://docs.opnsense.org/manual/ips.html

June 04, 2025, 02:44:52 PM #16
... and a wiser way to describe compatibility would be to enumerate required CPU flags, instead of listing all variants of CPU released on the market.
Print
Go Up Pages 1 2
User actions