IDS results in hundreds of errors like netmap_transmit hwcur hwtail

Started by Tenn-it, July 13, 2025, 09:58:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 13, 2025, 09:58:21 PM
I've had a VM running OPNsense 25.1.10 (amd64) with Suricata running for about three months. Recently, after a little while, I start getting thousands of errors like: "netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 50". It ended up bringing the virtual machine to its knees until I reboot the VM.

The VM has 20GB of RAM.

Anyone have any ideas?
Thanks!


Startup log below:
<173>1 2025-07-13T15:09:17-04:00 nam-of-the-idsserver suricata 25156 - [meta sequenceId="1"] [100755] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
<171>1 2025-07-13T15:09:28-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="2"] [100304] <Error> -- no terminating ";" found
<171>1 2025-07-13T15:09:28-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="3"] [100304] <Error> -- error parsing signature "alert tls $HOME_NET any -> any any (msg:"ET MALWARE Observed " from file /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules at line 40944
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="4"] [100304] <Warning> -- flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="5"] [100304] <Warning> -- flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="6"] [100304] <Warning> -- flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="7"] [100304] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="8"] [100304] <Warning> -- flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="9"] [100304] <Warning> -- flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="10"] [100304] <Warning> -- flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="11"] [100304] <Warning> -- flowbit 'ET.ErlangOTPBanner' is checked but not set. Checked in 2061797 and 1 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="12"] [100304] <Warning> -- flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="13"] [100304] <Warning> -- flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="14"] [100304] <Warning> -- flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="15"] [100304] <Warning> -- flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="16"] [100304] <Warning> -- flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="17"] [100304] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="18"] [100304] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="19"] [100304] <Warning> -- flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="20"] [100304] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="21"] [100304] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="22"] [100304] <Warning> -- flowbit 'ET.armwget' is checked but not set. Checked in 2024242 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="23"] [100304] <Warning> -- flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="24"] [100304] <Warning> -- flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="25"] [100304] <Warning> -- flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="26"] [100304] <Warning> -- flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="27"] [100304] <Warning> -- flowbit 'ET.generictelegram' is checked but not set. Checked in 2045614 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="28"] [100304] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="29"] [100304] <Warning> -- flowbit 'ET.WebDAVURL' is checked but not set. Checked in 2049320 and 2 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="30"] [100304] <Warning> -- flowbit 'ET.implantjs.syn' is checked but not set. Checked in 2060257 and 2 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="31"] [100304] <Warning> -- flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="32"] [100304] <Warning> -- flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="33"] [100304] <Warning> -- flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2023313 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="34"] [100304] <Warning> -- flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 0 other sigs
<172>1 2025-07-13T15:09:29-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="35"] [100304] <Warning> -- flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
<173>1 2025-07-13T15:10:01-04:00 nam-of-the-idsserver suricata 25735 - [meta sequenceId="36"] [100304] <Notice> -- Threads created -> W: 2 FM: 1 FR: 1   Engine started.




Errors below:



<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="23"] <118>Root file system: zroot/ROOT/default
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="24"] <118>Wed Jul  2 15:40:40 EDT 2025
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="25"] <118>
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="26"] <118>*** nam-of-the-idsserver: OPNsense 25.1.10 (amd64) ***
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="27"] <118>
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="28"] <118> LAN (xn0)       -> v4: 192.168.0.2/xx
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="29"] <118> WAN (xn1)       -> v4: xx.xxx.xxx.xxx/xx
<13>1 2025-07-02T15:40:40-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="30"] <118>
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="33"] 285.766612 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="34"] 285.781603 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="35"] 285.794488 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="36"] 285.809834 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="37"] 285.844324 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="38"] 285.858629 [1072] generic_netmap_dtor       Emulated netmap adapter for xn0 destroyed
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="39"] <6>xn0: permanently promiscuous mode enabled
<13>1 2025-07-02T15:41:25-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="40"] 285.887130 [1167] generic_netmap_attach     Emulated adapter for xn0 created (prev was NULL)
<13>1 2025-07-02T15:41:26-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="41"] 286.192069 [ 319] generic_netmap_register   Emulated adapter for xn0 activated
<13>1 2025-07-02T15:52:57-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="1"] 976.888029 [4335] netmap_transmit           xn0 full hwcur 558 hwtail 132 qlen 425
<13>1 2025-07-02T15:52:57-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="2"] 976.902846 [4335] netmap_transmit           xn0 full hwcur 558 hwtail 132 qlen 425
<13>1 2025-07-02T15:53:44-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="3"] 024.214751 [4335] netmap_transmit           xn0 full hwcur 938 hwtail 412 qlen 525
<13>1 2025-07-02T15:53:44-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="4"] 024.227159 [4335] netmap_transmit           xn0 full hwcur 938 hwtail 412 qlen 525
<13>1 2025-07-02T16:18:34-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="1"] 514.010592 [4335] netmap_transmit           xn0 full hwcur 417 hwtail 968 qlen 472
<13>1 2025-07-02T16:18:34-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="2"] 514.025031 [4335] netmap_transmit           xn0 full hwcur 417 hwtail 968 qlen 472
<13>1 2025-07-02T16:18:35-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="3"] 515.271374 [4335] netmap_transmit           xn0 full hwcur 15 hwtail 564 qlen 474
<13>1 2025-07-02T16:18:35-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="4"] 515.285723 [4335] netmap_transmit           xn0 full hwcur 15 hwtail 564 qlen 474
<13>1 2025-07-02T16:18:36-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="5"] 516.835447 [4335] netmap_transmit           xn0 full hwcur 223 hwtail 622 qlen 624
<13>1 2025-07-02T16:18:36-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="6"] 516.844906 [4335] netmap_transmit           xn0 full hwcur 223 hwtail 622 qlen 624
<13>1 2025-07-02T16:18:37-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="7"] 517.103792 [4335] netmap_transmit           xn0 full hwcur 908 hwtail 433 qlen 474
<13>1 2025-07-02T16:18:52-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="8"] 532.421643 [4335] netmap_transmit           xn0 full hwcur 619 hwtail 128 qlen 490
<13>1 2025-07-02T16:18:52-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="9"] 532.434464 [4335] netmap_transmit           xn0 full hwcur 619 hwtail 128 qlen 490
<13>1 2025-07-02T16:18:54-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="10"] 533.966516 [4335] netmap_transmit           xn0 full hwcur 469 hwtail 51 qlen 417
<13>1 2025-07-02T16:18:54-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="11"] 533.981784 [4335] netmap_transmit           xn0 full hwcur 469 hwtail 51 qlen 417
<13>1 2025-07-02T16:18:55-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="12"] 535.687712 [4335] netmap_transmit           xn0 full hwcur 284 hwtail 826 qlen 481
<13>1 2025-07-02T16:18:55-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="13"] 535.702045 [4335] netmap_transmit           xn0 full hwcur 284 hwtail 826 qlen 481
<13>1 2025-07-02T16:19:03-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="14"] 542.972322 [4335] netmap_transmit           xn0 full hwcur 799 hwtail 313 qlen 485
<13>1 2025-07-02T16:19:03-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="15"] 542.983285 [4335] netmap_transmit           xn0 full hwcur 799 hwtail 313 qlen 485
<13>1 2025-07-02T16:19:05-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="16"] 545.451038 [4335] netmap_transmit           xn0 full hwcur 33 hwtail 558 qlen 498
<13>1 2025-07-02T16:19:05-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="17"] 545.464260 [4335] netmap_transmit           xn0 full hwcur 33 hwtail 558 qlen 498
<13>1 2025-07-02T16:19:08-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="18"] 548.026341 [4335] netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 505
<13>1 2025-07-02T16:19:08-04:00 nam-of-the-idsserver kernel - - [meta sequenceId="19"] 548.042121 [4335] netmap_transmit           xn0 full hwcur 362 hwtail 880 qlen 505
Print
Go Up Pages1
User actions