Hello!After installing suricata, the servers cannot boot normally. The server is in a domain and freezes with the message applying group policies. If you log in as a local administrator, the server boots, but everything slows down. Booting the server in safe mode with support for network drivers solves the problem. Even if you delete program, the server still cannot boot normally. Rolling back to the last known good configuration solves the problem.
this sounds rather unusual and indicates likely a very wrong configuration. You should definitely provide more information to get more guidance.
- Previous Suri version
- Current Suri version
- HW specs
- how do you upgrade Suricata? From the package repository or git?
Things to review and also mention them in your next post:
- has your ruleset changed?
- what are the differences between the new / old config files?
One thing I’ve thought of is running out of RAM. If the config has much more rules/ or it has some invalid/too-strenuous memory settings in suricata.yaml your server could run out of memory.
The windows server freezes not during operation, after rebooting the server, it cannot boot, applying group policies and freezes,Suricata-7.0.0-1-64bit,npcap-1.77.
no freezing during operation
Please provide all the details that Lukas requested. Also more details about the setup, which Windows server version used and the configuration will help as well.
distribution downloaded Download - Suricata,
Suricata-7.0.0-1-64bit, Windows server 2012 r 2, no settings were changed in suricata.yaml, a few rules were added, but there is enough RAM. Even after removing suricata and pcap, the server cannot boot! It starts loading after a rollback to the last known known configuration.
We’d like to help but we do need more context.
“Servers freeze” and “cannot boot normally” are a bit vague.
Are there any messages or diagnostics available that would help add context so we could better establish what’s going on?
We can help with Suricata related issues and make advisory statements but we’ll need your help so we can get a better understanding of what’s happening.
There are no logs for this period, the server was rolled back, after a reboot the Apply Group Policy window appears and that’s it! If you log in as a local administrator, the server boots, but it is very slow! If you remove suricata and pcap, then everything is the same.
there were no critical errors in the logs
Is this on hardware or a virtual machine?
You said it’s included in a domain, maybe there is an issue on that end.
But regardless of that, Windows Server 2012 R2 is also end of life. I would test with a more modern and supported version.
the server is not virtual
what are the operating system requirements?
This depends on what you want to achieve, we don’t know your setup and how you want to integrate Suricata there.
But in general most people use Linux as OS for Suricata and some FreeBSD or Windows.
I mean the minimum supported version of windows?
we use suricata as an intrusion detection tool
we have old versions of windows, so we need to understand where to install suricata
We don’t have a specific list for Windows, since it’s still a corner case usage. See 6. Support Status — Suricata 7.0.3-dev documentation for the current support state.
The “where” to install depends on your exact requirements and scenario. Just saying “as an intrusion detection tool” is not enough, we need more details to guide you.