Hi,
Despite using Suricata for a few years I am new here and this is my first post.
After successfully running Suricata on Debian (most recently 10.6) I have decided to use the upgrade to version 6 as opportunity to move my installation to FreeBSD (12.2-RELEASE). The installation went fine and I had everything running OK in no time. Unfortunately I have noticed that Suricata runs only for very short periods of time. The shortest was about 5 seconds, the longest just under a minute.
I had a look at the logs, but can’t see anything obvious.
Here is info from the suricata.log:
26/11/2020 – 17:26:17 - - Signal Received. Stopping engine.
26/11/2020 – 17:27:18 - - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - “RX#01-sfxge0”. Killing engine
26/11/2020 – 17:27:18 - - This is Suricata version 6.0.0 RELEASE running in SYSTEM mode
26/11/2020 – 17:27:18 - - CPUs/cores online: 24
26/11/2020 – 17:27:18 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:18 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:18 - - fast output device (regular) initialized: fast.log
26/11/2020 – 17:27:18 - - eve-log output device (regular) initialized: eve.json
26/11/2020 – 17:27:18 - - stats output device (regular) initialized: stats.log
26/11/2020 – 17:27:18 - - Syslog output initialized
26/11/2020 – 17:27:18 - - Running in live mode, activating unix socket
26/11/2020 – 17:27:20 - - 1 rule files processed. 21155 rules successfully loaded, 0 rules failed
26/11/2020 – 17:27:20 - - Threshold config parsed: 0 rule(s) found
26/11/2020 – 17:27:21 - - 21158 signatures processed. 1395 are IP-only rules, 4006 are inspecting packet payload, 15527 inspect application layer, 104 are decoder event only
26/11/2020 – 17:27:32 - - Using 1 live device(s).
26/11/2020 – 17:27:32 - - using interface sfxge0
26/11/2020 – 17:27:32 - - running in ‘auto’ checksum mode. Detection of interface state will require 1000ULL packets
26/11/2020 – 17:27:32 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:27:32 - - Set snaplen to 1524 for ‘sfxge0’
26/11/2020 – 17:27:32 - - RunModeIdsPcapAutoFp initialised
26/11/2020 – 17:27:32 - - Running in live mode, activating unix socket
26/11/2020 – 17:27:32 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
26/11/2020 – 17:27:32 - - all 25 packet processing threads, 4 management threads initialized, engine started.
26/11/2020 – 17:27:32 - - No packets with invalid checksum, assuming checksum offloading is NOT used
26/11/2020 – 17:33:45 - - Signal Received. Stopping engine.
26/11/2020 – 17:34:46 - - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - “RX#01-sfxge0”. Killing engine
26/11/2020 – 17:37:30 - - This is Suricata version 6.0.0 RELEASE running in SYSTEM mode
26/11/2020 – 17:37:30 - - CPUs/cores online: 24
26/11/2020 – 17:37:30 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:30 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:30 - - fast output device (regular) initialized: fast.log
26/11/2020 – 17:37:30 - - eve-log output device (regular) initialized: eve.json
26/11/2020 – 17:37:30 - - stats output device (regular) initialized: stats.log
26/11/2020 – 17:37:30 - - Syslog output initialized
26/11/2020 – 17:37:30 - - Running in live mode, activating unix socket
26/11/2020 – 17:37:32 - - 1 rule files processed. 21155 rules successfully loaded, 0 rules failed
26/11/2020 – 17:37:32 - - Threshold config parsed: 0 rule(s) found
26/11/2020 – 17:37:33 - - 21158 signatures processed. 1395 are IP-only rules, 4006 are inspecting packet payload, 15527 inspect application layer, 104 are decoder event only
26/11/2020 – 17:37:44 - - Using 1 live device(s).
26/11/2020 – 17:37:44 - - using interface sfxge0
26/11/2020 – 17:37:44 - - running in ‘auto’ checksum mode. Detection of interface state will require 1000ULL packets
26/11/2020 – 17:37:44 - - Found an MTU of 1500 for ‘sfxge0’
26/11/2020 – 17:37:44 - - Set snaplen to 1524 for ‘sfxge0’
26/11/2020 – 17:37:44 - - RunModeIdsPcapAutoFp initialised
26/11/2020 – 17:37:44 - - Running in live mode, activating unix socket
The error you can see at the top of it happens when I stop or restart Suricata.
There isn’t much in the OS logs either. Here’s some info from /var/log/messages
Nov 26 17:13:35 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:13:49 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled
Nov 26 17:27:18 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:27:32 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled
Nov 26 17:34:46 <kern.info> BD-03 kernel: sfxge0: promiscuous mode disabled
Nov 26 17:37:44 <kern.info> BD-03 kernel: sfxge0: promiscuous mode enabled
As you can see above “This is Suricata version 6.0.0 RELEASE running in SYSTEM mode”
Hardware:
HPE ProLiant DL380 G7
CPU:
hw.model: Intel® Xeon® CPU X5650 @ 2.67GHz
hw.machine: amd64
hw.ncpu: 24
RAM:
real memory = 90194313216 (86016 MB)
avail memory = 87807807488 (83740 MB)
NIC (for the sensor):
sfxge0@pci0:21:0:0: class=0x020000 card=0x2136103c chip=0x08031924 rev=0x00 hdr=0x00
vendor = ‘Solarflare Communications’
device = ‘SFC9020 10G Ethernet Controller’
My suricata.yaml is pretty standard.
I would be grateful for any suggestions as to how troubleshoot this issue.
Separately, was I right thinking that BSD would be a better platform to run Suricata than Debian?
Thank you in advance for reading this and any suggestions that you may have.