[Oisf-users] Suricata Hungs

Fri Dec 7 09:35:22 UTC 2018

case1 (with freebsd and netmap, 16Gb ,i5-4590, Intel I350)
Build-info: https://pastebin.com/KByS9qCq
Stats.log - https://pastebin.com/sKmLwVJP
suricata.yaml - https://pastebin.com/EEGHz4M4

case 2 (with ubuntu and af-packets, 8Gb, Xeon E3-1220, Broadcom Limited
NetXtreme BCM5720 Gigabit Ethernet)
build-info: https://pastebin.com/GEqWqfZJ
stats.log: https://pastebin.com/xpKMwnbb
suricata.yaml: https://pastebin.com/gQzkU10b

пт, 7 дек. 2018 г. в 11:00, Peter Manev <petermanev at gmail.com>:

> On Wed, Dec 5, 2018 at 10:58 AM Michael Tsukanov <zukinzin at gmail.com>
> wrote:
> >
> > Yes, it's only inline related.
> > I use kill -USR2 `cat /var/run/suricata.pid` for reloading.
> >
> > I removed whole snort ruleset which caused these errors in log during
> reload, but it didn't help.
> >
>
> So it seems you can reproduce it consistently.
> Can you share the output of "suricata --build-info" ? Also when it
> happens  - it would be great if you could share stats.log or similar.
>
> Thank you
>
> > пт, 30 нояб. 2018 г. в 10:04, Peter Manev <petermanev at gmail.com>:
> >>
> >> On Tue, Nov 20, 2018 at 1:19 PM Michael Tsukanov <zukinzin at gmail.com>
> wrote:
> >> >
> >> > I didn't think so, it will be a huge file since we have around 200
> people in location and we can't predict when it fails. Moreover with
> passive mode we haven't any issues with suricata
> >> >
> >>
> >> Ok - so this is only inline related.
> >> How do you do your rule reloads? (do you use unix socket/hup or cold
> >> restart of Suricata?)
> >>
> >> Thank you
> >>
> >> > вт, 20 нояб. 2018 г. в 14:24, Peter Manev <petermanev at gmail.com>:
> >> >>
> >> >> On Tue, Nov 20, 2018 at 11:51 AM Michael Tsukanov <
> zukinzin at gmail.com> wrote:
> >> >> >
> >> >> > Yes, these errors are related to the rules from snort rulesset
> (which is "not optimized" for suricata)
> >> >> > But we also have locations where suricata work fine with these
> rules...
> >> >>
> >> >> In that case it seems it is related to some traffic condition  - is
> it
> >> >> possible to narrow it down to a pcap ?
> >> >>
> >> >> > I'll try to use ET only, but I would like to have some "hooks" if
> it will fails again...
> >> >> >
> >> >> > вт, 20 нояб. 2018 г. в 12:29, Peter Manev <petermanev at gmail.com>:
> >> >> >>
> >> >> >> On Mon, Nov 19, 2018 at 7:08 PM Michael Tsukanov <
> zukinzin at gmail.com> wrote:
> >> >> >> >
> >> >> >> > Hi Peter,
> >> >> >> > Yes we also had the same with 4.1.0 and rolled back to 4.0.5
> >> >> >> >
> >> >> >> > Stats.log - https://pastebin.com/sKmLwVJP
> >> >> >> > Suricata.log - https://pastebin.com/q9Z3z0Zg
> >> >> >> > suricata.yaml - https://pastebin.com/EEGHz4M4
> >> >> >> > start line: /usr/local/bin/suricata -D --netmap --pidfile
> /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
> >> >> >> >
> >> >> >> > no any unusual rules are triggered in that moment
> >> >> >> > We use 114 alert and 6357 drop rules from Snort ruleset and
> 7314 alert and 3626 drop rules from ET rulesset + 1929 IP addresses from
> reputations lists
> >> >> >> >
> >> >> >>
> >> >> >> It seems there are a lot of errors during loading similar to  -
> >> >> >>
> >> >> >> 19/11/2018 -- 02:23:07 - <Error> - [ERRCODE:
> >> >> >> SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword
> >> >> >> 'http_raw_cookie'.
> >> >> >> 19/11/2018 -- 02:23:07 - <Error> - [ERRCODE:
> >> >> >> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> >> >> >> $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> >> >> >> Multiple products DVR admin password leak attempt";
> >> >> >> flow:to_server,established; content:"/device.rsp";
> fast_pattern:only;
> >> >> >> http_uri; content:"uid="; http_raw_cookie; content:"cmd=list";
> >> >> >> metadata:policy balanced-ips drop, policy max-detect-ips drop,
> policy
> >> >> >> security-ips drop, service http; reference:cve,2018-9995;
> >> >> >> classtype:web-application-attack; sid:46825; rev:1;)" from file
> >> >> >> /usr/local/etc/suricata/rules/snort.rules at line 11386
> >> >> >>
> >> >> >> It may be somehow be related to some rules maybe -  but you say in
> >> >> >> af-packet you may have  a problem once every two moths or so.
> >> >> >> Is it possible to narrow it down  a bit - for example - load ET
> only
> >> >> >> rules and see if any difference?
> >> >> >>
> >> >> >> Thank you
> >> >> >>
> >> >> >> > Sorry, I can't provide the details for AF_PACKETS right now -
> it may works for 1-2 months without any issues and restarts
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > пн, 19 нояб. 2018 г. в 20:36, Peter Manev <petermanev at gmail.com
> >:
> >> >> >> >>
> >> >> >> >> On Mon, Nov 19, 2018 at 6:35 PM Peter Manev <
> petermanev at gmail.com> wrote:
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > On Mon, Nov 19, 2018 at 6:25 PM Michael Tsukanov <
> zukinzin at gmail.com> wrote:
> >> >> >> >> > >
> >> >> >> >> > > Friends,
> >> >> >> >> > > we've faced an issue with suricata running in inline mode.
> >> >> >> >> > >
> >> >> >> >> > > Could you please help us to find the root cause of the
> issue or determinate any useful  metrics which we may use for investigation.
> >> >> >> >> > >
> >> >> >> >> > > It may works 1-3 days, then we loose the access to switch
> behind the Suricata and Internet in the office.
> >> >> >> >> > >
> >> >> >> >> >
> >> >> >> >> > Is it possible some rule triggers that condition ?
> >> >> >> >> >
> >> >> >> >> > > Suricata is placed between ASA and root switch
> >> >> >> >> > > We use FreeBSD 11.2, Suricata 4.0.5 with Netmap (but also
> faced this situation with Ubuntu and AF_Packets in other location). The
> server has I350 Ethernet adapters, 16Gb RAM, i5 cpu.
> >> >> >> >> >
> >> >> >> >> > Could you share a bit more information with regards to the
> set up (ex config/start line etc...) and logs when that hapens -
> stats.log/suricata.log - for the af-packet set up for example ?
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> Also (sent out the previous mail too fast - apologies ) - do
> you have
> >> >> >> >> the same problem with Suricata 4.1  ?
> >> >> >> >>
> >> >> >> >> > > We use one /16 net as HOME_NET in suricata.yaml. The
> Internet channel is 80Mbps
> >> >> >> >> > >
> >> >> >> >> > > Thank you in advance
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Regards,
> >> >> >> >> Peter Manev
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Regards,
> >> >> >> Peter Manev
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Regards,
> >> >> Peter Manev
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181207/9cd3d82e/attachment-0001.html>