18.1.12 suricata crash

[mimugmail]

System : Firmware : Packages

There's a reinstall button for every pkg

[JohnnyBeee]

System : Firmware : Packages

There's a reinstall button for every pkg

Thank you.
I reinstalled Suricata but the problem persists.

The messages I still get are:
Jul 18 17:34:29    kernel: pid 52626 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 18 17:29:46    kernel: -> pid: 52293 ppid: 49789 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 18 17:29:46    kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (52293)] Suspension expired.

[ruggerio]

Just click System->Firmware->Packages

Search for Suricata and click on the symbol, which looks like a recycling-sign (Reinstall Suricata)

Afterwards go to Suricata and download the rules again, but without url-haus.

Roger

[franco]

Suricata 4.0.5 was released today. Not sure if the crashes are related to the CVEs...

https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/

You can install for amd64/OpenSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.r2/OpenSSL/All/suricata-4.0.5.txz

or amd64/LibreSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.r2/LibreSSL/All/suricata-4.0.5.txz

to see if that helps.

Reinstall/revert to the current version using:

# opnsense-revert suricata


Cheers,
Franco

[crt333]

- I downloaded all the rules and restarted -> crash
- I reinstalled suricata -> crash
- I switched from hypersan to aho-corasick -> running

[mimugmail]

Does you CPU support SSS3?

[crt333]

My CPU is an I5 5250U, SSE 4.1, 4.2, AVX2....

[mimugmail]

Strange. Have you checked latest Update from Franco?

[JohnnyBeee]

Suricata 4.0.5 was released today. Not sure if the crashes are related to the CVEs...

https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/

You can install for amd64/OpenSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.r2/OpenSSL/All/suricata-4.0.5.txz

or amd64/LibreSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.r2/LibreSSL/All/suricata-4.0.5.txz

to see if that helps.

Reinstall/revert to the current version using:

# opnsense-revert suricata


Cheers,
Franco

It works for me

[ruggerio]

cool, so whats the difference, why it is working for me?

Hardware:  apu2
Scanengine: hyperscan

[franco]

My guess is different rules and different local traffic. It's hard to pin down without looking at the specifics of the 4.0.5 update if that indeed magically solves it.


Cheers,
Franco

[crt333]

I updated to 4.0.5, and switched to hyperscan, and after a few minutes suricata crashed again.

Reverted to current and switched to aho-corasick and it is working again.

[milkywaygoodfellas]

For me this was definitely due to the abuse.ch\urlhaus rule set.  Once I disabled that and re-downloaded/reloaded the rules, Suricata stopped crashing.

It seems they have an issue with this rule set currently.

[franco]

This may be relevant. https://twitter.com/abuse_ch/status/1020172320378417154


Cheers,
Franco

[milkywaygoodfellas]

This may be relevant. https://twitter.com/abuse_ch/status/1020172320378417154


Cheers,
Franco

Well, it wasn't fixed... Re-enabling the abuse.ch\urlhaus rules on 18.1.12 resulted in Suricata crashing again until I disabled the rule set.

After updating to 18.1.13 I am now experiencing the same issue with memory usage growing until Suricata crashes, then going back to normal.  This only seems to occur if the abuse.ch\urlhaus rule set is enabled.  Disabling it again seems to have stopped the issue for now.