Connections dropping out

Proton · October 15, 2020, 3:27pm

I’m running Suricata 6.x in IPS mode with nfqueue and noticing weird latency and timeouts. Has anyone else experienced this?

I’m using these iptables rules:

iptables -A INPUT -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-num 0 --queue-bypass

and this config for nfq:

nfq:
  mode: accept
  batchcount: 20
  fail-open: yes

SSH connections to the server are occasionally becoming unresponsive for about 20-60 seconds, and other connections to the server are doing the same (freezing for 20-60 seconds, before finally resolving, or sometimes just timing out). I’d say it’s roughly 2% of the time, but it’s hard to judge. When I shut down suricata and remove the nfqueue rules the issue goes away.

Memory and CPU seem fine, and the traffic to the server is very low.

There are no alerts at all in the logs related to these connections, only alerts from other IP addresses and other issues (botnets looking for VOIP vulnerabilities, etc).

Any advice?

Proton · October 16, 2020, 8:45am

Ah, I may have fucked up and had two programs running on nfqueue at the same time

Looks like it’s fine.

Proton · October 16, 2020, 8:55am

In the docs it says:

…in case of certain IPS setups (like NFQ), autofp is used.

and autofp is the default. But with the batchcount option enabled I get this:

<Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - nfq.batchcount is only valid in workers runmode.

Is runmode: workers preferable to runmode: autofp for nfq?

Also, if I’m using nfqueue on both the INPUT and OUTPUT chains, is it preferable to use one queue for each, e.g:

iptables -A INPUT -j NFQUEUE --queue-num 1 --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-num 2 --queue-bypass

and specify two queues in the run options:

suricata -q 1 -q 2

Andreas_Herz · October 17, 2020, 6:48pm

You might see better performance with workers run mode. I would recommend to try it.

And yes you could use two queues, even more to have some sort of load balancing.

Proton · October 18, 2020, 5:14pm

Would using multiple queues only give a performance improvement in workers runmode?

Andreas_Herz · October 22, 2020, 8:19pm

No, that could also benefit the other mode as well, but maybe with less impact.

Topic		Replies	Views
IPtables - NFQUEUE Issues Help	2	423	February 22, 2023
Stream.fin_but_no_session anomaly Help	4	512	August 31, 2022
Suricata 7 IPS NFQueue drops established TCP after flow-timeouts.tcp.established=600 Help ips , suricata	1	192	April 21, 2024
Suricata IPS NFQUEUE mode not dropping Packets Help	1	1047	July 9, 2021
Getting error after setting Suricata as a IPS Help	2	785	February 14, 2022

Connections dropping out

Related topics