Bug #1179
closedSuricata block all traffic
Description
Hello,
I need help with this problem.
I used suricatu from version 1.4.x to version 2.0. (IPS)
Suricata works without problems (no errors in logs)
But after some time blocked all traffic. I do not know what causes it. From the logs, I found that it happens this activity:
04/10/2014-14:15:08.942997 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} 0000:0000:0000:0000:0000:0000:0000:0000:135 -> ff02:0000:0000:0000:0000:0001:ff6c:efde:0
04/10/2014-14:15:09.308078 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.317126 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.779459 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:15.445257 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:6aa3:c4ff:fe7e:4e6c:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:17.341543 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
Only one thing works - > restart Suricata. After restart works good.
Eventually I tried to find some solution (iptables rules, ip6tables default drop policy), but it happens again.
Suricata run on CentOS 6.5
suricata build info:
This is Suricata version 2.0 RELEASE
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON PROFILING
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.10, linked against LibHTP v0.5.10
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: yes
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /usr/local/var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Thank you.
Updated by Andreas Herz over 9 years ago
With [wDrop] this looks like monitoring mode and shouldn't drop (just log), so can you describe your setup a little bit and how you start suricata?
Updated by Anonymous over 9 years ago
Andreas Herz wrote:
With [wDrop] this looks like monitoring mode and shouldn't drop (just log), so can you describe your setup a little bit and how you start suricata?
I think that it corrected any updates of Suricata 2.0.x . For a long time he did not. Perhaps I close my ticket.
Updated by Peter Manev over 9 years ago
So with the current release you do not have that problem anymore , correct?
There were a couple of IPS related bugs fixed in 2.x -
https://redmine.openinfosecfoundation.org/issues/1284
https://redmine.openinfosecfoundation.org/issues/1176
You could close this bug report - if that is the case.
Thanks for following up!
Updated by Anonymous over 9 years ago
Peter Manev wrote:
So with the current release you do not have that problem anymore , correct?
There were a couple of IPS related bugs fixed in 2.x -
https://redmine.openinfosecfoundation.org/issues/1284
https://redmine.openinfosecfoundation.org/issues/1176You could close this bug report - if that is the case.
Thanks for following up!
Yes, problem looks like fixed. You can close this bug report. I dont know how i can close the report. Or i havent got permission to close.
Thanks.