Suricata is crashing on all firerwalls starting April 19th, 2025

Started by geotek, April 19, 2025, 01:54:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 19, 2025, 01:54:24 PM
We are using the proofpoint rules and all OPNsense versions from 25.1 to 24.x are affected. Error message is:

<Error> -- Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this

It looks like a broken rule update is responsible for this, since ample memory and disk space is available on our boxes.
April 20, 2025, 11:25:21 AM #1
One more observation: Only boxes with one of the three Aho-Corasick Pattern matchers are affected, even with today's updated rules. Boxes with Hyperscan matcher were not affected. After changing the matcher to Hyperscan, the problem was solved on all of our previously affected firewalls.

I hope this helps identifying and fixing the cause.
April 21, 2025, 02:47:02 PM #2
Ours started erroring out on the 20th, same symptoms, and same temporary resolution - Hyperscan.
April 22, 2025, 01:58:34 AM #3
Same here
April 22, 2025, 03:25:18 PM #4
Mine is set to "default" and still working. This reminds that I need to sit and do some work on my filters and same for Crowdsec.
April 27, 2025, 12:31:25 AM #5
Mine is set to default and it's still crashing. Any updates on a fix?
April 30, 2025, 01:49:53 PM #6
Same here...
May 03, 2025, 06:49:25 PM #7
Same message here, latest version installed
May 05, 2025, 08:28:29 AM #8
Had the same issue, here is what fixed it for me:

  • updated the vCPU scheme of the VM from "kvm64" to "Haswell-noTSX".
  • VM power off/power on.
  • shifted the IPS engine from "Aho–Corasick Ken Steele variant" to "Hyperscan" (only possible post point #1 here).

According to the docs, Hpyerscan seems to be the best options whenever supported, I'll leave it at that here.
https://docs.opnsense.org/manual/ips.html

Kind regards,
m.
May 06, 2025, 07:28:15 PM #9
Same here and its still broke
May 06, 2025, 11:42:56 PM #10
I changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now
May 07, 2025, 11:39:52 AM #11
I promise this question is honest. I don't want to make enemies... please do not be too agressive with the answer..

I have moved from pfSense to OPNSense 2 months ago and now I'm facing this issue.

I activated proofpoint, it was great.

Now, suricata stops work and there is no solution several weeks later.

My question is ... Could this be a prove that OPNSense is more modern, with more functionalities but it's not being maintained as fast pfSense?
Print
Go Up Pages1
User actions