Project

General

Profile

Bug #9934

suricata update kills WAN interface

Added by Srijan Nandi 9 days ago. Updated 8 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
11/28/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

Hello Everyone,

I am running pfSense 2.4.4-RELEASE-p3 (amd64) with suricata VERSION 4.1.5_2. I had set suricata to update rules every 12 hours at the default time of 00:30. Each time suricata updates it's rule set, it sets the interface down and then it comes up after 15-20 seconds. As I am running suricata on the WAN interface, internet goes down till the time WAN comes back up again.

It happens twice in a day as the update interval is 12 hrs.

As a workaround, I have changed the update interval to 1 Day and set the time to 05:30, when traffic is very less.

Logs:

Nov 26 00:30:10 pfSense php-cgi: [Suricata] ERROR: Rules download error: Operation timed out after 10003 milliseconds with 0 out of 0 bytes received
Nov 26 00:30:10 pfSense php-cgi: [Suricata] Will retry the download in 15 seconds...
Nov 26 00:30:27 pfSense php-cgi: File 'emerging.rules.tar.gz.md5' download attempts: 2 ...
Nov 26 00:30:27 pfSense php-cgi: [Suricata] Emerging Threats Open rules are up to date...
Nov 26 00:30:27 pfSense php-cgi: [Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
Nov 26 00:30:35 pfSense php-cgi: [Suricata] Snort GPLv2 Community Rules file update downloaded successfully.
Nov 26 00:30:36 pfSense php-cgi: [Suricata] Updating rules configuration for: BLAZENET_ISP_1 ...
Nov 26 00:30:37 pfSense php-cgi: [Suricata] Building new sid-msg.map file for BLAZENET_ISP_1...
Nov 26 00:30:37 pfSense SuricataStartup69633: Suricata STOP for BLAZENET_ISP_1_WAN(27120_em0)...
Nov 26 00:30:38 pfSense kernel: em0: link state changed to DOWN
Nov 26 00:30:38 pfSense check_reload_status: Linkup starting em0
Nov 26 00:30:39 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
Nov 26 00:30:39 pfSense check_reload_status: Reloading filter
Nov 26 00:30:39 pfSense php-cgi: [Suricata] Suricata has restarted with your new set of rules...
Nov 26 00:30:39 pfSense php-cgi: [Suricata] The Rules update has finished.
Nov 26 00:30:39 pfSense SuricataStartup76330: Suricata START for BLAZENET_ISP_1_WAN(27120_em0)...

Nov 26 00:30:54 pfSense check_reload_status: Linkup starting em0
Nov 26 00:30:54 pfSense kernel: em0: link state changed to UP
Nov 26 00:30:55 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
Nov 26 00:30:55 pfSense check_reload_status: rc.newwanip starting em0
Nov 26 00:30:55 pfSense check_reload_status: Reloading filter
Nov 26 00:30:56 pfSense php-fpm: /rc.newwanip: rc.newwanip: Info: starting on em0.
Nov 26 00:30:56 pfSense php-fpm: /rc.newwanip: rc.newwanip: on (IP address: X.X.X.X) (interface: BLAZENET_ISP_1[wan]) (real interface: em0).
Nov 26 00:30:56 pfSense check_reload_status: Reloading filter

Nov 26 06:00:00 pfSense php-cgi: [Suricata] Checking for updated MaxMind GeoLite2 IP database file...
Nov 26 06:00:01 pfSense php-cgi: [Suricata] GeoLite2-Country IP database is up-to-date.
Nov 26 06:00:01 pfSense php-cgi: [Suricata] GeoLite2-Country database update check finished.
Nov 26 12:30:07 pfSense php-cgi: [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
Nov 26 12:30:19 pfSense php-cgi: [Suricata] Emerging Threats Open rules file update downloaded successfully.
Nov 26 12:30:20 pfSense php-cgi: [Suricata] Snort GPLv2 Community Rules are up to date...
Nov 26 12:30:22 pfSense php-cgi: [Suricata] Updating rules configuration for: BLAZENET_ISP_1 ...
Nov 26 12:30:23 pfSense php-cgi: [Suricata] Building new sid-msg.map file for BLAZENET_ISP_1...
Nov 26 12:30:23 pfSense SuricataStartup32425: Suricata STOP for BLAZENET_ISP_1_WAN(27120_em0)...
Nov 26 12:30:25 pfSense kernel: em0: link state changed to DOWN
Nov 26 12:30:25 pfSense check_reload_status: Linkup starting em0
Nov 26 12:30:26 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
Nov 26 12:30:26 pfSense check_reload_status: Reloading filter
Nov 26 12:30:26 pfSense php-cgi: [Suricata] Suricata has restarted with your new set of rules...
Nov 26 12:30:26 pfSense php-cgi: [Suricata] The Rules update has finished.
Nov 26 12:30:26 pfSense SuricataStartup36834: Suricata START for BLAZENET_ISP_1_WAN(27120_em0)...
Nov 26 12:30:26 pfSense check_reload_status: Syncing firewall

Nov 26 12:30:44 pfSense check_reload_status: Linkup starting em0
Nov 26 12:30:44 pfSense kernel: em0: link state changed to UP
Nov 26 12:30:45 pfSense php-fpm: /rc.linkup: Hotplug event detected for BLAZENET_ISP_1(wan) static IP (X.X.X.X )
Nov 26 12:30:45 pfSense check_reload_status: rc.newwanip starting em0
Nov 26 12:30:45 pfSense check_reload_status: Reloading filter
Nov 26 12:30:46 pfSense php-fpm: /rc.newwanip: rc.newwanip: Info: starting on em0.
Nov 26 12:30:46 pfSense php-fpm: /rc.newwanip: rc.newwanip: on (IP address: X.X.X.X) (interface: BLAZENET_ISP_1[wan]) (real interface: em0).
Nov 26 12:30:46 pfSense check_reload_status: Reloading filter

History

#1 Updated by Srijan Nandi 9 days ago

Suricata is running in INLINE IPS mode. Every time, when suricata is stopped or started, it does a link up/down. Is this normal behaviour with INLINE IPS mode? Can it be modified to not restart interfaces while suricata restarts.

#2 Updated by Jim Pingle 8 days ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Package System to Suricata

Also available in: Atom PDF