pfSense » pfSense Packages

The Subject is "Suricata 7.0.2 service stop problem" not "Suricata 7.0.12" of course

Continuing to try and gather data about this issue. I have not been able to reproduce it in my local testing machines, but there are several users reporting the issue on the Netgate Forum. The problem appears related to the Intel HyperScan library. The error users are seeing is " hyperscan returned fatal error -1 ", which means a test within HyperScan of the values passed to the hs_scan() function revealed what HyperScan thinks is an invalid passed value. Additionally, this is often accompanied by a Signal 11 segfault within Suricata.

Robert Karsai wrote in #note-4:

Hello Bill, Thanks for looking into this issue. I've managed to reproduce the problem on a Netgate 4100 cluster master unit just now. I used to think until now that this is a Suricata problem, but according to the logs a lot more is happening. For some peculiar reason the interface Suricata is running on is going down right after the "/usr/local/etc/rc.d/suricata.sh stop" command, that triggers CARP events, then about 40 secs later a "WAN reconection" event occurs which automatically starts up Suricata once again. During all those events I did nothing, no cable unplugging, no manual Suricata restart, nothing, just issued a Suricata stop command. Is this something you can start your investigation with? Please see attached sreenshot. BR - Robert

I'm sorry. Reading this thread again I see I confused it with the Hyperscan issue. This one is not related to that, so disregard my earlier comments about Hyperscan.

As for your issue, something is triggering the Suricata shell script STOP command.I can tell this is coming from the shell script because of the "SuricataStartup" tag. Commands issued from the GUI via the icons on the INTERFACES tab will simply say "Suricata START".

Do you by chance have Suricata configured with Service Watchdog? If so, do NOT use Service Watchdog with Suricata. That will not work.

This discussion may be better suited as a post in the IDS/IPS sub-forum on the Netgate Forums here: https://forum.netgate.com/category/53/ids-ips. This sounds more like a configuration issue instead of a bug. A bug generally impacts many users. So far, you are the only user reporting this problem.

Service_Watchdog is not (and was never) installed on affected systems. What I don't understand how can a "suricata.sh stop" command trigger (sometimes) an interface down event.