18.1.12 suricata crash

[mimugmail]

How much RAM do you have?

[max]

After updating to 18.1.13 I am now experiencing the same issue with memory usage growing until Suricata crashes, then going back to normal.  This only seems to occur if the abuse.ch\urlhaus rule set is enabled.  Disabling it again seems to have stopped the issue for now.

I can confirm the issue on several apu2c4 based systems on OPNsense 18.1.12 and 18.1.13.

As stated by rjb4526, the only workaround that prevents Suricata from crashing currently is to disable abuse.ch/URLhaus.

Some more background:

• Reinstalling Suricata didn't help.
• New downloads of all the rules didn't help.
• Issue is present on OPNsense 18.1.12 and 18.1.13.
• Suricata crashes with both Hyperscan and Aho-Corasick pattern matcher.
• The apu2c4 board contains an AMD GX-412TC CPU and 4 GB DRAM (which supports SSSE3)

[milkywaygoodfellas]

How much RAM do you have?

8GB.  RAM usage doesn't grow to 100%, though.  Last I saw it grew to about 2.5GB before Suricata crashed.

[crt333]

I just upgraded to 18.1.13 and noticed some odd things, so I thought I'd try and add some details in the hope that it helps the always helpful OpnSense team

System is a Qotom Q355G4
CPU: i5-5250U
RAM: 8GB

NOTE: after every setting change below I rebooted to make sure results were "clean"

phase 1 - update to 18.1.13, reboot, reload all suricata rules with URLhaus disabled

a) using hyperscan - runs ok
    system memory 1059M

    suricata memory usage (from System->Diagnostics->Activity)
    Mem Size: 2805M
    Res: 350M

b) using aho-corasick - runs ok
    system memory 1129M

    suricata memory usage (from System->Diagnostics->Activity)
    Mem Size: 2913M
    Res: 443M

phase 2 - enable URLhaus,  download all rules

a) using aho-corasick - runs ok
    system memory 1794M

    suricata memory usage (from System->Diagnostics->Activity)
    Mem Size: 3565M
    Res: 1069M

b) using hyperscan: crashes

phase 3: disable URLhaus

a) using hyperscan: crashes (but it worked above!!)

so, the only thing that was different in 1a above was that the rules for URLhaus showed "not installed" at the start, rather than just disabled. So, I downloaded all the rules again so it showed "not installed" again for URLhaus, and rebooted:

using hyperscan: works again

so, the URLhaus rule can't even be installed it seems, even if disabled.

FURTHER ODDITY:

after the crashes, when I changed settings and clicked reboot, the screen paused for a while but then came back to show stats rather than to the login screen. Also, uptime showed no reboot occurred. Tried twice, same thing. Also tried shutdown, which also didn't work!!

So, I had to power cycle after the failures to cause a reboot to happen. Very odd, thought I'd mention it.

I hope the above is helpful, please let me know if I can provide other info.

[mimugmail]

Perhaps the ruleset wont get deleted. There was a fix around, not sure If only for 18.7.

[milkywaygoodfellas]

Despite abuse.ch's claims to the contrary on Twitter, the issue still isn't fixed.  Enabling abuse.ch/urlhaus rules still results in Suricata crashing.

[mimugmail]

So you get an error in the logs? If not perhaps the ruleset is too big for you system?

[milkywaygoodfellas]

So you get an error in the logs? If not perhaps the ruleset is too big for you system?

The only thing that shows up in the logs is Suricata crashing.

[mimugmail]

Can you watch the memory Bar in the Dashboard shortly after enabling Suricata?

[milkywaygoodfellas]

Can you watch the memory Bar in the Dashboard shortly after enabling Suricata?

Yes.  I refresh it several times over the course of a couple of minutes and watch the memory usage grow to about 2.8-3GB before it crashes.  Once it crashes, memory usage goes back to a more normal number like 750MB-1GB depending on usage.

[Werner Fischer]

[Updated as I have answered in the wrong thread]:

I'm having issues here, too.

See https://forum.opnsense.org/index.php?topic=9512.msg43639#msg43639 for my details.