<div dir="ltr"><div dir="ltr"><div>Yes, it's only inline related.</div><div>I use kill -USR2 `cat /var/run/suricata.pid` for reloading. <br></div><div><br></div><div>I removed whole snort ruleset which caused these errors in log during reload, but it didn't help.<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">пт, 30 нояб. 2018 г. в 10:04, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Nov 20, 2018 at 1:19 PM Michael Tsukanov <<a href="mailto:zukinzin@gmail.com" target="_blank">zukinzin@gmail.com</a>> wrote:<br>
><br>
> I didn't think so, it will be a huge file since we have around 200 people in location and we can't predict when it fails. Moreover with passive mode we haven't any issues with suricata<br>
><br>
<br>
Ok - so this is only inline related.<br>
How do you do your rule reloads? (do you use unix socket/hup or cold<br>
restart of Suricata?)<br>
<br>
Thank you<br>
<br>
> вт, 20 нояб. 2018 г. в 14:24, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>:<br>
>><br>
>> On Tue, Nov 20, 2018 at 11:51 AM Michael Tsukanov <<a href="mailto:zukinzin@gmail.com" target="_blank">zukinzin@gmail.com</a>> wrote:<br>
>> ><br>
>> > Yes, these errors are related to the rules from snort rulesset (which is "not optimized" for suricata)<br>
>> > But we also have locations where suricata work fine with these rules...<br>
>><br>
>> In that case it seems it is related to some traffic condition - is it<br>
>> possible to narrow it down to a pcap ?<br>
>><br>
>> > I'll try to use ET only, but I would like to have some "hooks" if it will fails again...<br>
>> ><br>
>> > вт, 20 нояб. 2018 г. в 12:29, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>:<br>
>> >><br>
>> >> On Mon, Nov 19, 2018 at 7:08 PM Michael Tsukanov <<a href="mailto:zukinzin@gmail.com" target="_blank">zukinzin@gmail.com</a>> wrote:<br>
>> >> ><br>
>> >> > Hi Peter,<br>
>> >> > Yes we also had the same with 4.1.0 and rolled back to 4.0.5<br>
>> >> ><br>
>> >> > Stats.log - <a href="https://pastebin.com/sKmLwVJP" rel="noreferrer" target="_blank">https://pastebin.com/sKmLwVJP</a><br>
>> >> > Suricata.log - <a href="https://pastebin.com/q9Z3z0Zg" rel="noreferrer" target="_blank">https://pastebin.com/q9Z3z0Zg</a><br>
>> >> > suricata.yaml - <a href="https://pastebin.com/EEGHz4M4" rel="noreferrer" target="_blank">https://pastebin.com/EEGHz4M4</a><br>
>> >> > start line: /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml<br>
>> >> ><br>
>> >> > no any unusual rules are triggered in that moment<br>
>> >> > We use 114 alert and 6357 drop rules from Snort ruleset and 7314 alert and 3626 drop rules from ET rulesset + 1929 IP addresses from reputations lists<br>
>> >> ><br>
>> >><br>
>> >> It seems there are a lot of errors during loading similar to -<br>
>> >><br>
>> >> 19/11/2018 -- 02:23:07 - <Error> - [ERRCODE:<br>
>> >> SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword<br>
>> >> 'http_raw_cookie'.<br>
>> >> 19/11/2018 -- 02:23:07 - <Error> - [ERRCODE:<br>
>> >> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp<br>
>> >> $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP<br>
>> >> Multiple products DVR admin password leak attempt";<br>
>> >> flow:to_server,established; content:"/device.rsp"; fast_pattern:only;<br>
>> >> http_uri; content:"uid="; http_raw_cookie; content:"cmd=list";<br>
>> >> metadata:policy balanced-ips drop, policy max-detect-ips drop, policy<br>
>> >> security-ips drop, service http; reference:cve,2018-9995;<br>
>> >> classtype:web-application-attack; sid:46825; rev:1;)" from file<br>
>> >> /usr/local/etc/suricata/rules/snort.rules at line 11386<br>
>> >><br>
>> >> It may be somehow be related to some rules maybe - but you say in<br>
>> >> af-packet you may have a problem once every two moths or so.<br>
>> >> Is it possible to narrow it down a bit - for example - load ET only<br>
>> >> rules and see if any difference?<br>
>> >><br>
>> >> Thank you<br>
>> >><br>
>> >> > Sorry, I can't provide the details for AF_PACKETS right now - it may works for 1-2 months without any issues and restarts<br>
>> >> ><br>
>> >> ><br>
>> >> ><br>
>> >> > пн, 19 нояб. 2018 г. в 20:36, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>:<br>
>> >> >><br>
>> >> >> On Mon, Nov 19, 2018 at 6:35 PM Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br>
>> >> >> ><br>
>> >> >> ><br>
>> >> >> > On Mon, Nov 19, 2018 at 6:25 PM Michael Tsukanov <<a href="mailto:zukinzin@gmail.com" target="_blank">zukinzin@gmail.com</a>> wrote:<br>
>> >> >> > ><br>
>> >> >> > > Friends,<br>
>> >> >> > > we've faced an issue with suricata running in inline mode.<br>
>> >> >> > ><br>
>> >> >> > > Could you please help us to find the root cause of the issue or determinate any useful metrics which we may use for investigation.<br>
>> >> >> > ><br>
>> >> >> > > It may works 1-3 days, then we loose the access to switch behind the Suricata and Internet in the office.<br>
>> >> >> > ><br>
>> >> >> ><br>
>> >> >> > Is it possible some rule triggers that condition ?<br>
>> >> >> ><br>
>> >> >> > > Suricata is placed between ASA and root switch<br>
>> >> >> > > We use FreeBSD 11.2, Suricata 4.0.5 with Netmap (but also faced this situation with Ubuntu and AF_Packets in other location). The server has I350 Ethernet adapters, 16Gb RAM, i5 cpu.<br>
>> >> >> ><br>
>> >> >> > Could you share a bit more information with regards to the set up (ex config/start line etc...) and logs when that hapens - stats.log/suricata.log - for the af-packet set up for example ?<br>
>> >> >> ><br>
>> >> >><br>
>> >> >> Also (sent out the previous mail too fast - apologies ) - do you have<br>
>> >> >> the same problem with Suricata 4.1 ?<br>
>> >> >><br>
>> >> >> > > We use one /16 net as HOME_NET in suricata.yaml. The Internet channel is 80Mbps<br>
>> >> >> > ><br>
>> >> >> > > Thank you in advance<br>
>> >> >><br>
>> >> >><br>
>> >> >><br>
>> >> >> --<br>
>> >> >> Regards,<br>
>> >> >> Peter Manev<br>
>> >><br>
>> >><br>
>> >><br>
>> >> --<br>
>> >> Regards,<br>
>> >> Peter Manev<br>
>><br>
>><br>
>><br>
>> --<br>
>> Regards,<br>
>> Peter Manev<br>
<br>
<br>
<br>
-- <br>
Regards,<br>
Peter Manev<br>
</blockquote></div>