Bug #15018
open
Suricata 7.0.2 service stop problem
0%
Description
Hello,
I can't reliably stop Suricata service using Services / Suricata / Interfaces / <interface> / stop icon. I've got about 50-60% chance that the service will restart itself somehow in a minute instead of stopping. I've got the same results in CLI using "/usr/local/etc/rc.d/suricata.sh stop". Also: the restart icon sometimes starts a second instance of Suricata (even when there is only one interface in the Suricata interface list), but I guess there might be the same issue behind this.
It's not a new behaviour, I've experienced those things on Suricata 6 in the previous pfSense release and now also in pfSense+ 23.0.9 and pfSense CE 2.7.1 with Suricata 7.0.2. It may be hardware (CPU) related, I think it happens more frequently on lower end devices (like on Netgate 4100), seen this several times on Protecli VP2420s, but never seen on Netgate 8200 or on Netgate 1537.
BR
--
Robert
Files
| Screenshot from 2023-11-26 22-31-37.png (291 KB) Screenshot from 2023-11-26 22-31-37.png | Events when Suricata restart occurs |
Updated by Robert Karsai 5 months ago
The Subject is "Suricata 7.0.2 service stop problem" not "Suricata 7.0.12" of course
Updated by Kris Phillips 5 months ago
- Subject changed from Suricata 7.0.12 service stop problem to Suricata 7.0.2 service stop problem
Editing redmine to correct title.
Updated by Bill Meeks 5 months ago
Continuing to try and gather data about this issue. I have not been able to reproduce it in my local testing machines, but there are several users reporting the issue on the Netgate Forum. The problem appears related to the Intel HyperScan library. The error users are seeing is " hyperscan returned fatal error -1 ", which means a test within HyperScan of the values passed to the hs_scan() function revealed what HyperScan thinks is an invalid passed value. Additionally, this is often accompanied by a Signal 11 segfault within Suricata.
Updated by Robert Karsai 5 months ago
Hello Bill, Thanks for looking into this issue. I've managed to reproduce the problem on a Netgate 4100 cluster master unit just now. I used to think until now that this is a Suricata problem, but according to the logs a lot more is happening. For some peculiar reason the interface Suricata is running on is going down right after the "/usr/local/etc/rc.d/suricata.sh stop" command, that triggers CARP events, then about 40 secs later a "WAN reconection" event occurs which automatically starts up Suricata once again. During all those events I did nothing, no cable unplugging, no manual Suricata restart, nothing, just issued a Suricata stop command. Is this something you can start your investigation with? Please see attached sreenshot. BR - Robert
Updated by Bill Meeks 5 months ago
Robert Karsai wrote in #note-4:
Hello Bill, Thanks for looking into this issue. I've managed to reproduce the problem on a Netgate 4100 cluster master unit just now. I used to think until now that this is a Suricata problem, but according to the logs a lot more is happening. For some peculiar reason the interface Suricata is running on is going down right after the "/usr/local/etc/rc.d/suricata.sh stop" command, that triggers CARP events, then about 40 secs later a "WAN reconection" event occurs which automatically starts up Suricata once again. During all those events I did nothing, no cable unplugging, no manual Suricata restart, nothing, just issued a Suricata stop command. Is this something you can start your investigation with? Please see attached sreenshot. BR - Robert
I'm sorry. Reading this thread again I see I confused it with the Hyperscan issue. This one is not related to that, so disregard my earlier comments about Hyperscan.
As for your issue, something is triggering the Suricata shell script STOP command.I can tell this is coming from the shell script because of the "SuricataStartup" tag. Commands issued from the GUI via the icons on the INTERFACES tab will simply say "Suricata START".
Do you by chance have Suricata configured with Service Watchdog? If so, do NOT use Service Watchdog with Suricata. That will not work.
This discussion may be better suited as a post in the IDS/IPS sub-forum on the Netgate Forums here: https://forum.netgate.com/category/53/ids-ips. This sounds more like a configuration issue instead of a bug. A bug generally impacts many users. So far, you are the only user reporting this problem.
Updated by Robert Karsai 5 months ago
Service_Watchdog is not (and was never) installed on affected systems. What I don't understand how can a "suricata.sh stop" command trigger (sometimes) an interface down event.