A few weeks ago I happened to notice that Suricata will fail to detect some of the rules loaded after a period of time, rules such as “ET WEB_SERVER Possible CVE-2014-6271 Attempt in Header” or “ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie” or any of the log4j ET Pro rule detection will fail and the only way to get Suricata to begin detecting them again is to restart it.
More concisely, Suricata works perfectly from startup until time X which is always random, where it will begin to fail to detect the aforementioned example rules as well as others I am sure.
I set up a remote server to send Shellshock requests to a host on our network and a job on the Suricata server that runs every 5 minutes to determine when those requests have not been detected and it happens randomly yet quite often, examples times where Suricata was restarted due to this problem
What version of Suricata?
How is it being supervised (systemd, …)?
Do you have logs and/or core dumps?
More context would help determine what the next step would be.
What logs are you looking for? The only entries in the messages log are
related to my process which kills Suricata and restarts it upon
determining the problem exists. I should note that Suricata continues
to alert on simple rules like ET Known Hostile IP which don’t require
parsing into the packets.
Sorry I don’t have any debug as I can’t run Suricata in debug mode, it
overwhelms the system when running in debug seeing as it’s continually
monitoring 5Gbps++
No packet loss is reported by Suricata, everything seems copacetic as
far as Suricata is concerned, yet the issue happens.
That said, last night I noticed that the inlet temp on the Suricata
system was elevated and the capture card in the box quite hot, so I
increased the fan speeds in the box to 100% which cooled everything down
a bit and the issue went away, so now I am looking at the issue perhaps
stemming from the capture card running too warn at times and am looking
to move the system to a row or racks with better cooling.
I don’t know for sure this is the problem, but it certainly can not be
ruled out so for now I think Suricata can consider the issue resolved
unless after the move it happens again.