Connections dropping out

Proton · October 15, 2020, 3:27pm

I’m running Suricata 6.x in IPS mode with nfqueue and noticing weird latency and timeouts. Has anyone else experienced this?

I’m using these iptables rules:

iptables -A INPUT -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-num 0 --queue-bypass

and this config for nfq:

nfq:
  mode: accept
  batchcount: 20
  fail-open: yes

SSH connections to the server are occasionally becoming unresponsive for about 20-60 seconds, and other connections to the server are doing the same (freezing for 20-60 seconds, before finally resolving, or sometimes just timing out). I’d say it’s roughly 2% of the time, but it’s hard to judge. When I shut down suricata and remove the nfqueue rules the issue goes away.

Memory and CPU seem fine, and the traffic to the server is very low.

There are no alerts at all in the logs related to these connections, only alerts from other IP addresses and other issues (botnets looking for VOIP vulnerabilities, etc).

Any advice?

Proton · October 16, 2020, 8:45am

Ah, I may have fucked up and had two programs running on nfqueue at the same time

Looks like it’s fine.

Proton · October 16, 2020, 8:55am

In the docs it says:

…in case of certain IPS setups (like NFQ), autofp is used.

and autofp is the default. But with the batchcount option enabled I get this:

<Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - nfq.batchcount is only valid in workers runmode.

Is runmode: workers preferable to runmode: autofp for nfq?

Also, if I’m using nfqueue on both the INPUT and OUTPUT chains, is it preferable to use one queue for each, e.g:

iptables -A INPUT -j NFQUEUE --queue-num 1 --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-num 2 --queue-bypass

and specify two queues in the run options:

suricata -q 1 -q 2

Andreas_Herz · October 17, 2020, 6:48pm

You might see better performance with workers run mode. I would recommend to try it.

And yes you could use two queues, even more to have some sort of load balancing.

Proton · October 18, 2020, 5:14pm

Would using multiple queues only give a performance improvement in workers runmode?

Andreas_Herz · October 22, 2020, 8:19pm

No, that could also benefit the other mode as well, but maybe with less impact.

Topic		Replies	Views
IPtables - NFQUEUE Issues Help	2	303	February 22, 2023
Suricata IPS NFQUEUE mode not dropping Packets Help	1	875	July 9, 2021
Getting error after setting Suricata as a IPS Help	2	710	February 14, 2022
Iptables + NFQUEUE Help ips , community	8	2996	June 12, 2021
Suricata iptables and nft errors when all is setting up correctly Help	3	172	December 12, 2023

Connections dropping out

Related Topics