What's new

Suricata + "kernel: protocol 0800 is buggy, dev xxxx"

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

develox

Regular Contributor
Hi everyone,

I've read here in the forum quite a bit on the subject of people having the above error, and most have fixed it (those who succeeded) either by disabling various Guest Network or LAN access in Guest Networks, or disabling some QoS, disabling some IPv6, etc.

I myself have never seen this error before in my Asus RT-AC5300 (who has happily run Suricata for years too), and started to see it this week-end when I swapped it with an RT-AC86U, apparently configured exactly the same (GUI screen by GUI screen, same entware config files for the same installed packages with just the bare minimum differences due to the switch to the HND platform).

In my case, the single responsible seems to be suricata, meaning that the error starts appearing once Suricata completes its startup, and disappears when I stop Suricata. Anything else (like the above) in my case seems to be ineffective.

So my question is: does anyone running Suricata have succeeded in getting rid of this error message spamming in thousands per day the system log ? Or can anyone suggest any clue that I can try to succeed ?

I hope the only suggestion is not to factory reset the router as this would take a so-long time to reconfigure in my case that I would probably defer it to ... don't know when.

P.S. I've updated from 386.2_4 to 386.2_6 today in the hope ... but honestly the issue didn't seem to be related to anything mentioned in recent firmware release notes, and indeed this one didn't fix it neither.
 
Oh yes, I perhaps explained it bad: I meant to say that I visited each GUI screen and configured the AC86U the same as the AC5300 in terms of enabled/disabled features and params and the like. I'm conscious that under the hood the difference is much more than what the GUI (almost the same) shows.
 
I have Suricata running on 4-core x86 appliance with 4GB RAM. It needs processing power and RAM to run properly without affecting other services. I wouldn't run it on a router hardware, slower than RPi and with 512MB RAM only. Asuswrt AiProtection is the better option, optimized for routers.
 
I have Suricata running on 4-core x86 appliance with 4GB RAM. It needs processing power and RAM to run properly without affecting other services. I wouldn't run it on a router hardware, slower than RPi and with 512MB RAM only. Asuswrt AiProtection is the better option, optimized for routers.
Thanks for sharing @Tech9. Honestly, I've been running Suricata on the RT-AC5300 for years and the load average on the box (while running also Skynet and PixelSrv, with AiProtection enabled) has always been about 0.5, while the RAM has apparently never been an issue (though used almost all of it). Of course it runs only as an IDS, not IPS, but it's anyway quite informative on what goes on in the network, at no additional costs.
 
Probably, but for Suricata to inspect packages the traffic must be processed by the CPU and that means no hardware acceleration, or your router is not Gigabit capable anymore. Skynet may help only if you have open to Internet ports, otherwise it only show you graphs. Suricata in IDS does the same thing, extra processing for basically nothing. AiProtection is the one you need, good enough for home router. Paired with DNS filtering service is all you need.
 
Uhm ... not sure about Skynet does only graphs if you've no internet open ports: I see it blocking outgoing traffic all the time based on its rules and IP block lists (which something I appreciate as long as it does not interfere with legit traffic, something you can anyway tweak). I myself sometime use it as a quick way to add something I want to block outgoing.
As for Suricata, it's been some time the tool that showed traffic that required my attention, and once I make my opinion on it, where the Asus box can't arrive, the outer business firewall can.
Of course, as I said, AI Protection is enabled too.
And yes, my WAN is not gigabit anyway, rather, I've a quite miserable (by today standards) 20mbit but luckily working at full speed at least, so Suricata is not a bottleneck.
 
It's your choice what to run on your router, but as per thread posted above you're on your own with Suricata for Asuswrt-Merlin. The "protocol 0800 is buggy" message doesn't seem related. It's indeed reported after 386 firmware and Guest Network 1 use. I don't know if it's a problem or just debug message. I don't use Asus routers on my network, I only have few models to run test on.
 
Have been running Suricata for awhile now, only time I see that message is if I run a Guest network on #1
 

Attachments

  • Screen Shot 2021-06-07 at 11.09.56 AM.png
    Screen Shot 2021-06-07 at 11.09.56 AM.png
    479.4 KB · Views: 116
Have been running Suricata for awhile now, only time I see that message is if I run a Guest network on #1
Uhm, that's unfortunate for me, as I'm running only Guest Network #2. And even disabling it doesn't change much.
Can I ask you what GUI piece is that showing Suricata stats ? As for myself, I send logs to an Intel box where I run evebox to see them. Didn't know there was a native way inside the router itself.
 
Uhm, that's unfortunate for me, as I'm running only Guest Network #2. And even disabling it doesn't change much.
Can I ask you what GUI piece is that showing Suricata stats ? As for myself, I send logs to an Intel box where I run evebox to see them. Didn't know there was a native way inside the router itself.
I have installed Suricata onto my AX88U, where I get those stats
 
I have installed Suricata onto my AX88U, where I get those stats
Meaning you just installed suricata via entware with opkg install and you got the GUI as well ? At which page is located ? I can't find it in my install (done via entware/opkg)
 

Just run the installer, everything will be done for you, then click onto your add-on tab/ Suricata well be there
 
Oh thanks, I had missed it since I've never had any need to re-configure or change anything in Suricata.
Unfortunately, I've also tried to uninstall my current Suricata and re-install via this script (knowing that it would be installing the same entware package probably, but hoping in a config change that was effective for my problem) but it didn't change the result (though I appreciate the script and its overall result a lot).
 
Hi everyone,

I've read here in the forum quite a bit on the subject of people having the above error, and most have fixed it (those who succeeded) either by disabling various Guest Network or LAN access in Guest Networks, or disabling some QoS, disabling some IPv6, etc.

I myself have never seen this error before in my Asus RT-AC5300 (who has happily run Suricata for years too), and started to see it this week-end when I swapped it with an RT-AC86U, apparently configured exactly the same (GUI screen by GUI screen, same entware config files for the same installed packages with just the bare minimum differences due to the switch to the HND platform).

In my case, the single responsible seems to be suricata, meaning that the error starts appearing once Suricata completes its startup, and disappears when I stop Suricata. Anything else (like the above) in my case seems to be ineffective.

So my question is: does anyone running Suricata have succeeded in getting rid of this error message spamming in thousands per day the system log ? Or can anyone suggest any clue that I can try to succeed ?

I hope the only suggestion is not to factory reset the router as this would take a so-long time to reconfigure in my case that I would probably defer it to ... don't know when.

P.S. I've updated from 386.2_4 to 386.2_6 today in the hope ... but honestly the issue didn't seem to be related to anything mentioned in recent firmware release notes, and indeed this one didn't fix it neither.

Disable ALL Trend-micro related especially AI protection. I believe traditional QoS also caused issues.

Long story short, the suricata addon is not going to be maintained further since Entware dropped support. As @rgnldo noted, it's best to move Suricata to a dedicated box (Pi) or something similar.
 
I missed this info too, thanks for sharing. So I suppose I should re-think this function in my network.
 
Suppose the CPU and the memory of wifi routers were suitable for Suricata, we would still have the problem of analyzing support we would still have the problem of supporting package analysis by the kernel.
My suggestion would be to adapt Skynet, adding features for port controls and access via firewall.
 
My suggestion would be to adapt Skynet, adding features for port controls and access via firewall.

This is where we both would have liked it to have gone, as the IPS/IDS log can be read by Skynet for dynamic actions perhaps.
 
This is where we both would have liked it to have gone, as the IPS/IDS log can be read by Skynet for dynamic actions perhaps.
I refer to the graphical firewall solution as in Flexqos, selecting essential ports and services.
 
I refer to the graphical firewall solution as in Flexqos, selecting essential ports and services.

Yup - but for the "blocking" capability, QoS won't do right?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top