Bug #1179
closedSuricata block all traffic
Description
Hello,
I need help with this problem.
I used suricatu from version 1.4.x to version 2.0. (IPS)
Suricata works without problems (no errors in logs)
But after some time blocked all traffic. I do not know what causes it. From the logs, I found that it happens this activity:
04/10/2014-14:15:08.942997 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} 0000:0000:0000:0000:0000:0000:0000:0000:135 -> ff02:0000:0000:0000:0000:0001:ff6c:efde:0
04/10/2014-14:15:09.308078 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.317126 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.779459 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:15.445257 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:6aa3:c4ff:fe7e:4e6c:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:17.341543 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
Only one thing works - > restart Suricata. After restart works good.
Eventually I tried to find some solution (iptables rules, ip6tables default drop policy), but it happens again.
Suricata run on CentOS 6.5
suricata build info:
This is Suricata version 2.0 RELEASE
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON PROFILING
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.10, linked against LibHTP v0.5.10
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: yes
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /usr/local/var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Thank you.