"sudo service suricate stop" freezes system

Hi,

I’m running suricata IPS mode on debian.
When I’m entering a “sudo service suricata stop” the whole system freezes.
If this has something to do with iptables, I have no idea.

Well actually I’m not sure if the system freezes, but I cant reach the server anymore after this.
ping doesn’t work, ssh doesn’t work.
After power off/on the system comes up and works again.

I’m running suricata with the following command in the background:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D

I configured iptables according to the manual:
sudo iptables -I FORWARD -j NFQUEUE
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
sudo iptables -I INPUT -p tcp -j NFQUEUE
sudo iptables -I OUTPUT -p tcp -j NFQUEUE
sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE
sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE
sudo iptables -I INPUT -p tcp --sport 443 -j NFQUEUE
sudo iptables -I OUTPUT -p tcp --dport 443 -j NFQUEUE

I want to temporarily stop suricata to test some incoming traffic without suricata running.
So I was looking for a way to temporarily stop suricata. But unfortunately the system “freezes”.

Does anyone have any idea why the system freezes and how to solve this?
I already tried “sudo ufw disable” to set it inactive, but that didn’t solve it.

Or another way to temporarily disable suricata?

Thanks ahead.

It seems Suricata is also inspecting ssh traffic, so when you stop the service, Iptables still send traffic to it but without a response, resulting in dropping packets. A simple solution for your case is to flush iptables (iptables -F) rules before stopping suricata.

just from/to the box:

iptables -F INPUT
iptables -F OUTPUT

Thanks, that worked.

To prevent this in the future add to your startup script:
iptables INPUT -j NFQUEUE --queue-bypass
iptables OUTPUT -j NFQUEUE --queue-bypass

You already have “-q 0” on the suricata command line.