Core Update 162: Suricata emits logspam galore

Have upgraded my test VM to Core Update 162 and am seeing these errors in the IPS log even while there’s no real traffic. i.e. There no systems configured to use this IPFire instance.

Configured both Linux and Windows test systems to use this IPFIre instance and not experienced any problems, just the messages.

Are these cause for concern?

Hi,

first, thank you very much for testing Core Update 162. :slight_smile:

Indeed, I get a ton of these log messages as well since I upgraded my testing machine:

12/05/2021-08:16:33.852710  [**] [1:2210059:1] SURICATA STREAM pkt seen on wrong thread [**] [Classification: (null)] [Priority: 3] {TCP} x:x -> x:x

They are no cause for worries, but are quite annoying. I will raise a ticket so we can silence this (or deal with it’s root cause) before releasing Core Update 162.

EDIT: Done, please refer to bug #12738.

EDIT #2: On a closer look, Suricata does not seem to load any rules at all after the upgrade. Not good, raised bug #12739 for this.

Thanks, and best regards,
Peter Müller

1 Like

Hi, I confirm the same behavior on both systems I am testing.

The following messages (mainly the ‘wrong thread’) fill the IPS log.
There are no rule hits.
12/05 13:55:37 Name: SURICATA TCPv4 invalid checksum
12/04 23:40:59 Name: SURICATA STREAM excessive retransmissions
12/04 23:40:31 Name: SURICATA STREAM pkt seen on wrong thread
12/04 23:12:56 Name: SURICATA Applayer Detect protocol only one direction

I will add more detail to bug #12739

1 Like

Peter, I’ve recognized the commits to “Master branch”.
Has the “Testing” candidate also been upgraded in between?
Kind regards
Manfred

1 Like

Hi,

yes. To apply these changes to your testing installation, you unfortunately have to re-install Core Update 162:

echo 161 > /opt/pakfire/db/core/mine
pakfire update
pakfire upgrade

Afterwards, the IPS should be working fine and without emitting logspam again - at least it does so on my testing machine. :slight_smile:

Core Update 162 will be released shortly - we are currently trying to get some connectivity issues in a facility where the ARM builders are located resolved. As soon as things are fine there again, C162 will be released.

Thanks, and best regards,
Peter Müller

1 Like

Confirmed :slight_smile:
Thanks a lot!

1 Like