Suricata stops processing after short time

Hi,

Despite using Suricata for a few years I am new here and this is my first post.

After successfully running Suricata on Debian (most recently 10.6) I have decided to use the upgrade to version 6 as opportunity to move my installation to FreeBSD (12.2-RELEASE). The installation went fine and I had everything running OK in no time. Unfortunately I have noticed that Suricata runs only for very short periods of time. The shortest was about 5 seconds, the longest just under a minute.

I had a look at the logs, but can’t see anything obvious.

Here is info from the suricata.log:

26/11/2020 – 17:26:17 - - Signal Received. Stopping engine.
26/11/2020 – 17:27:18 - - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - “RX#01-sfxge0”. Killing engine
26/11/2020 – 17:27:18 - - This is Suricata version 6.0.0 RELEASE running in SYSTEM mode
26/11/2020 – 17:27:18 - - CPUs/cores online: 24
26/11/2020 – 17:27:18 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:18 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:18 - - fast output device (regular) initialized: fast.log
26/11/2020 – 17:27:18 - - eve-log output device (regular) initialized: eve.json
26/11/2020 – 17:27:18 - - stats output device (regular) initialized: stats.log
26/11/2020 – 17:27:18 - - Syslog output initialized
26/11/2020 – 17:27:18 - - Running in live mode, activating unix socket
26/11/2020 – 17:27:20 - - 1 rule files processed. 21155 rules successfully loaded, 0 rules failed
26/11/2020 – 17:27:20 - - Threshold config parsed: 0 rule(s) found
26/11/2020 – 17:27:21 - - 21158 signatures processed. 1395 are IP-only rules, 4006 are inspecting packet payload, 15527 inspect application layer, 104 are decoder event only
26/11/2020 – 17:27:32 - - Using 1 live device(s).
26/11/2020 – 17:27:32 - - using interface sfxge0
26/11/2020 – 17:27:32 - - running in ‘auto’ checksum mode. Detection of interface state will require 1000ULL packets
26/11/2020 – 17:27:32 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:32 - - Set snaplen to 1524 for ‘sfxge0’
26/11/2020 – 17:27:32 - - RunModeIdsPcapAutoFp initialised
26/11/2020 – 17:27:32 - - Running in live mode, activating unix socket
26/11/2020 – 17:27:32 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
26/11/2020 – 17:27:32 - - all 25 packet processing threads, 4 management threads initialized, engine started.
26/11/2020 – 17:27:32 - - No packets with invalid checksum, assuming checksum offloading is NOT used
26/11/2020 – 17:33:45 - - Signal Received. Stopping engine.
26/11/2020 – 17:34:46 - - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - “RX#01-sfxge0”. Killing engine
26/11/2020 – 17:37:30 - - This is Suricata version 6.0.0 RELEASE running in SYSTEM mode
26/11/2020 – 17:37:30 - - CPUs/cores online: 24
26/11/2020 – 17:37:30 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:30 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:30 - - fast output device (regular) initialized: fast.log
26/11/2020 – 17:37:30 - - eve-log output device (regular) initialized: eve.json
26/11/2020 – 17:37:30 - - stats output device (regular) initialized: stats.log
26/11/2020 – 17:37:30 - - Syslog output initialized
26/11/2020 – 17:37:30 - - Running in live mode, activating unix socket
26/11/2020 – 17:37:32 - - 1 rule files processed. 21155 rules successfully loaded, 0 rules failed
26/11/2020 – 17:37:32 - - Threshold config parsed: 0 rule(s) found
26/11/2020 – 17:37:33 - - 21158 signatures processed. 1395 are IP-only rules, 4006 are inspecting packet payload, 15527 inspect application layer, 104 are decoder event only
26/11/2020 – 17:37:44 - - Using 1 live device(s).
26/11/2020 – 17:37:44 - - using interface sfxge0
26/11/2020 – 17:37:44 - - running in ‘auto’ checksum mode. Detection of interface state will require 1000ULL packets
26/11/2020 – 17:37:44 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:44 - - Set snaplen to 1524 for ‘sfxge0’
26/11/2020 – 17:37:44 - - RunModeIdsPcapAutoFp initialised
26/11/2020 – 17:37:44 - - Running in live mode, activating unix socket

The error you can see at the top of it happens when I stop or restart Suricata.

There isn’t much in the OS logs either. Here’s some info from /var/log/messages

Nov 26 17:13:35 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:13:49 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled
Nov 26 17:27:18 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:27:32 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled
Nov 26 17:34:46 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:37:44 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled

As you can see above “This is Suricata version 6.0.0 RELEASE running in SYSTEM mode”

Hardware:

HPE ProLiant DL380 G7

CPU:

hw.model: Intel® Xeon® CPU X5650 @ 2.67GHz
hw.machine: amd64
hw.ncpu: 24

RAM:
real memory = 90194313216 (86016 MB)
avail memory = 87807807488 (83740 MB)

NIC (for the sensor):
sfxge0@pci0:21:0:0: class=0x020000 card=0x2136103c chip=0x08031924 rev=0x00 hdr=0x00
vendor = ‘Solarflare Communications’
device = ‘SFC9020 10G Ethernet Controller’

My suricata.yaml is pretty standard.

I would be grateful for any suggestions as to how troubleshoot this issue.

Separately, was I right thinking that BSD would be a better platform to run Suricata than Debian?

Thank you in advance for reading this and any suggestions that you may have.

I would challenge that. I guess it mostly depends on the capture method you want to use. AF_PACKET is very well supported and NETMAP might not offer all the features AF_PACKET does. IMHO Linux is still has an advantage.

When it runs, does it process packets? Does your stats log get updated?

Thanks for your comments.

Yes, when it runs everything looks good. The packets are processed, stats.log gets updated.

I use syslog to send fast.log to my central Graylog server and that works well as well.

BTW, I am using just AF_PACKET.

Hmm now I’m confused. The output above is from FreeBSD, right? This is using libpcap. AF_PACKET is a Linux only thing.

Sorry, I meant pcap.

Update:

I have decided to bite the bullet and revert to Debian (10.6). Suricata 6.0 works now as expected. No issues whatsoever!