This is the first time I have installed the Testing version.
There are two observations.
I do like the new look of the IPS page. However, even though I had was not scanning Blue, some hosts where not being given access to the internet if OISF Traffic ID Rules were enabled.
Some process, as of now unknown, is causing IPFire to crash. See screen shots below. Currently monitoring htop for a clue to the offender. As you can see there is no consistency to timing of the issue.
That won’t be related to the update to CU198 as the last update to the OISF Traffic ID ruleset was in January 2018.
Blocking with this ruleset enabled means that traffic with the ID for
bing, facebook, gmail, google, irccloud, lastpass, whisper, netflix, skype, snapchat, twitter, whatsapp or instagram
was identified, unless you unselected some of the rules within that ruleset. There should be messages about what was triggered in the IPS logs menu item.
The best thing is to look through the logs at around the time periods where you are for instance getting the sharp increase in memory consumption.
You should find OOM (Out Of Memory) messages from the kernel in the messages log. Search in the messages log for OOM. Then based on the times for those events look at those timings in the unsearched messages log. There should be messages indicating what is ending up running out of memory and causing the memory usage peak.
review of the logs only turned up the following issues
16:03:08 suricata:
[3025] – error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download”; flow:to_client,established; content:”-2013.zip|0D 0A|“; fast_pattern:only; content:”-2013.zip|0D 0A|“; http_header; content:”-“; within:1; distance:-14; http_header; file_data; content:”-2013.exe"; content:“-”; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url, VirusTotal ; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community-community.rules at line 2581
I did not find any other messages that indicate and issue.
Looking through the Zabbix plots shows that the memory increase always begins on a hour. Interestingly it is almost always one hours between incidents.
To continue about the timing of the incidents it is never exactly 60 minutes between issues.
I also noticed loading errors during my CU 198 tests but they already existed in CU 197
CU 197 :
Sep 30 11:57:54 ipfireTest suricata: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/registered-malware-other.rules at line 2942
Sep 30 11:57:54 ipfireTest suricata: depth or urilen 11 smaller than content len 17
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 674
Sep 30 11:57:54 ipfireTest suricata: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 3769
Sep 30 11:57:54 ipfireTest suricata: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5567
Sep 30 11:57:54 ipfireTest suricata: unknown regex modifier 'K'
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5645
Sep 30 11:57:54 ipfireTest suricata: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5713
Sep 30 11:57:54 ipfireTest suricata: pcre2_substring_get_bynumber failed
Sep 30 11:57:54 ipfireTest suricata: error parsing signature "drop tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Backdoor.PygmyGoat inbound connection attempt"; flow:to_client,established; content:"SSH-2.0-D8pjE|0D 0A|"; depth:15; isdataat:!15,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:url,ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:64295; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 6011
Sep 30 11:57:54 ipfireTest suricata: 27 rule files processed. 28592 rules successfully loaded, 7 rules failed, 0
CU 198 :
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/registered-malware-other.rules at line 2942
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- depth or urilen 11 smaller than content len 17
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 674
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 3769
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5567
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- unknown regex modifier 'K'
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5645
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 5713
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- pcre2_substring_get_bynumber failed
Sep 30 12:12:49 ipfireTest suricata: [18328] <Error> -- error parsing signature "drop tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Backdoor.PygmyGoat inbound connection attempt"; flow:to_client,established; content:"SSH-2.0-D8pjE|0D 0A|"; depth:15; isdataat:!15,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:url,ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:64295; rev:1;)" from file /var/lib/suricata/registered-malware-cnc.rules at line 6011
Sep 30 12:12:49 ipfireTest suricata: [18328] <Info> -- tenant id 0: 27 rule files processed. 28592 rules successfully loaded, 7 rules failed, 0 rules skipped
Those are errors related to the signatures you are using.
From the signature ruleset name I believe these rules are The Talos ruleset for Registered users.
The Talos signatures are developed for use with Snort and not Suricata and the signature structure is not 100% the same between the two. Generally the signatures will work in both but some of the Talos Snort based signatures may end up with error messages as you are detecting.
That message is from the system logs and not from suricata processing the traffic.
That signature has an error in it that the Emerging Threats people would need to fix. However that signature will likely not have been implemented because suricata could not parse it correctly.
For the IPS log messages showing what traffic has been dropped by the IPS system, you need to look at the WUI menu
Logs - IPS Logs and there you will see all the rules that were triggered.
Here is an example from my system but with the public IP redacted.
Date: 10/07 10:53:46 Name: ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
Priority: 2 Type: Attempted Information Leak
IP info: 65.60.34.138:5299 -> xxx.xxx.xxx.xxx:5060
References: none found SID: 2011716
Date: 10/07 10:53:46 Name: ET SCAN Sipvicious Scan
Priority: 2 Type: Attempted Information Leak
IP info: 65.60.34.138:5299 -> xxx.xxx.xxx.xxx:5060
References: none found SID: 2008578
Date: 10/07 10:48:17 Name: ET SCAN Suspicious inbound to PostgreSQL port 5432
Priority: 2 Type: Potentially Bad Traffic
IP info: 77.90.185.118:50805 -> xxx.xxx.xxx.xxx:5432
References: none found SID: 2010939
Date: 10/07 10:40:41 Name: ET JA3 Hash - Possible InnocenceBot CnC
Priority: 3 Type: Unknown Traffic
IP info: 192.168.128.10:56400 -> 18.203.53.244:443
References: none found SID: 2030645
This shows the traffic events that were dropped by the IPS on my system.
Have a look in that log and search for the IP address of the system on Blue having a problem.
The situation continues.
There are no kernel panics. As far as I can see there are no issues in any log.
At first I thought the issue was an out of memory problem. The plots below show what I now think is the problem. The number of processes. I tried to monitor what was causing the process count. However, using top or ps -eo pcpu,pid,user,args did not help in tacking down the offending package.
I have now disabled all extra services that were running in hopes that the issue lays with one of them.
process count for dma at the time of the drop
2025-10-07T17:06:27-04:00 5899
2025-10-07T17:06:29-04:00 5899
2025-10-07T17:06:31-04:00 5899
2025-10-07T17:06:33-04:00 5899
2025-10-07T17:06:36-04:00 5899
2025-10-07T17:06:38-04:00 5899
2025-10-07T17:06:40-04:00 5899
2025-10-07T17:06:42-04:00 5899
2025-10-07T17:06:44-04:00 5899
2025-10-07T17:06:46-04:00 5899
2025-10-07T17:06:48-04:00 5899
2025-10-07T17:06:50-04:00 5899
2025-10-07T17:06:52-04:00 5899
2025-10-07T17:06:54-04:00 5899
2025-10-07T17:06:56-04:00 5899
2025-10-07T17:06:58-04:00 5899
2025-10-07T17:07:01-04:00 5899
2025-10-07T17:07:05-04:00 5899
2025-10-07T17:07:09-04:00 5814
2025-10-07T17:07:14-04:00 5745
2025-10-07T17:07:17-04:00 5736
2025-10-07T17:07:22-04:00 5736
2025-10-07T17:07:27-04:00 5736
2025-10-07T17:07:29-04:00 5736
2025-10-07T17:07:31-04:00 5736
2025-10-07T17:07:33-04:00 5736
2025-10-07T17:07:35-04:00 5736
2025-10-07T17:07:37-04:00 5736
2025-10-07T17:07:39-04:00 5736
2025-10-07T17:07:41-04:00 5736
2025-10-07T17:07:43-04:00 5736
2025-10-07T17:07:45-04:00 5736
2025-10-07T17:07:47-04:00 5736
2025-10-07T17:07:49-04:00 5736
2025-10-07T17:07:51-04:00 5736
2025-10-07T17:07:54-04:00 5736
2025-10-07T17:07:56-04:00 5736
2025-10-07T17:07:58-04:00 5736
2025-10-07T17:08:00-04:00 5736
2025-10-07T17:08:02-04:00 5736
2025-10-07T17:08:05-04:00 5736
2025-10-07T17:08:07-04:00 5736
2025-10-07T17:08:10-04:00 5737
2025-10-07T17:08:13-04:00 5737
2025-10-07T17:08:16-04:00 5737
2025-10-07T17:08:18-04:00 5737
Whether that is causing your drop problems or not, it should not be happening. That indicates that something on your system is asking dma to send huge numbers of mails.
If you run
ls -hal /var/spool/dma/
is the directory full of files or empty except for a file labelled flush.
If it is full of files then you have a lot of mails that failed to get sent and have ended up in dma’s mail queue and periodically it tries to resend them. After a period it stops trying to send them.
What messages do you have in the dma logs.
Logs - System Logs - select Mail in the drop down box labelled Section: and then press the Update button. There should be some ino in there if you have so many dma processes running.
In all my current systems I have 0 dma processes as I only periodically have any emails being sent out.
I take it you aren’t receiving huge numbers of emails from IPFire.
Very low load until the spike. There are only a few users on the system.
ls -hal /var/spool/dma/ | wc -l
1954 files
After pressing the Update button nothing happens. The prior log data remains on screen.
I removed all the mail files.
I have turned back on all the services previously shutdown.
let’s see what happens next.
Did you look at any of the files to see where they were coming from?
That is a shame.
If they occur again, which I would expect if nothing else has been changed to stop them trying to be sent then, if I remember correctly, the files in that directory starting with a Q actually have the email details that dma was trying to send so you could see firstly what the from and to address was.
That might give some clue as to what is sending them.
Also reading the details you should also be able to try and see what the error was that prevented dma from sending them.
In the past I had some files like that, but only around 10 or so, when I had sent an email to
name.full.domain.name
instead of
name@full.domain.name
Reading the files starting with Q I saw that dma did not like the To address used.
I then corrected the To email address, which was in arpwatch, and then cleared the files in var/spool/dma/ and everything went fine after that and I have had no further files left in that directory.
The files where from the IPS
It looks like you have some issue with your email configuration so that dma cannot get rid of the messages. So fixing the configuration should fix this problem.
However, this should not cause the system to stall, even though there are thousands of emails queued.
