opnsense
IDS (Suricata) Will Not Startup
The IDS startup fails after 30-45 seconds with the following error.
2025-05-16T15:58:56 | Error | suricata | [100455] <Error> -- Just ran out of space in the queue. Please file a bug report on this
I have tried repeatedly from both the dashboard to restart and "Services > Intrusion Detection > Admin" without success.
To Reproduce
Steps to reproduce the behavior:
- Go to '"Lobby > Dashboard" or "Services > Intrusion Detection > Admin"
- Click on the IDS Right Arrow Icon to start it up
- Wait 30-45 seconds for it to fail
- Go to "Services > Intrusion Detection > Log File" to see the error
Expected behavior
For it to remain started
Describe alternatives you considered
None
Screenshots
Relevant log files
2025-05-16T15:58:56 Error suricata [100455] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-05-16T15:58:40 Warning suricata [100455] <Warning> -- flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs 2025-05-16T15:58:40 Warning suricata [100455] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs 2025-05-16T15:58:40 Warning suricata [100455] <Warning> -- flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs 2025-05-16T15:58:02 Notice suricata [101022] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode 2025-05-16T15:55:59 Error suricata [100461] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-05-16T15:55:43 Warning suricata [100461] <Warning> -- flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs 2025-05-16T15:55:43 Warning suricata [100461] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs 2025-05-16T15:55:43 Warning suricata [100461] <Warning> -- flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs 2025-05-16T15:55:04 Notice suricata [100467] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode 2025-05-16T15:51:03 Error suricata [100636] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-05-16T15:50:47 Warning suricata [100636] <Warning> -- flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs 2025-05-16T15:50:47 Warning suricata [100636] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs 2025-05-16T15:50:47 Warning suricata [100636] <Warning> -- flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs 2025-05-16T15:50:11 Notice suricata [100786] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode 2025-05-16T15:49:04 Error suricata [100440] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-05-16T15:48:48 Warning suricata [100440] <Warning> -- flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs 2025-05-16T15:48:48 Warning suricata [100440] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs 2025-05-16T15:48:48 Warning suricata [100440] <Warning> -- flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs 2025-05-16T15:48:11 Notice suricata [100440] <Notice> -- rule reload starting 2025-04-23T17:59:29 Notice suricata [100440] <Notice> -- rule reload complete 2025-04-23T17:58:58 Warning suricata [100440] <Warning> -- flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs 2025-04-23T17:58:58 Warning suricata [100440] <Warning> -- flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs 2025-04-23T17:58:58 Warning suricata [100440] <Warning> -- flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs 2025-04-23T17:58:22 Notice suricata [100440] <Notice> -- rule reload starting 2025-04-23T17:51:31 Notice suricata [100440] <Notice> -- Threads created -> W: 8 FM: 1 FR: 1 Engine started. 2025-04-23T17:50:27 Notice suricata [100904] <Notice> -- This is Suricata version 7.0.10 RELEASE running in SYSTEM mode 2025-04-23T17:46:52 Notice suricata [100476] <Notice> -- Signal Received. Stopping engine. 2025-04-23T17:44:58 Notice suricata [100476] <Notice> -- Threads created -> W: 8 FM: 1 FR: 1 Engine started. 2025-04-23T17:43:58 Notice suricata [100449] <Notice> -- This is Suricata version 7.0.8 RELEASE running in SYSTEM mode 2025-04-23T17:42:25 Notice suricata [100886] <Notice> -- Signal Received. Stopping engine. 2025-04-23T17:38:13 Notice suricata [100886] <Notice> -- Threads created -> W: 8 FM: 1 FR: 1 Engine started. 2025-04-23T17:37:13 Notice suricata [100445] <Notice> -- This is Suricata version 7.0.7 RELEASE running in SYSTEM mode 2025-04-23T17:32:46 Notice suricata [100447] <Notice> -- Signal Received. Stopping engine. 2025-03-22T18:25:30 Notice suricata [100447] <Notice> -- rule reload complete 2025-03-22T18:24:28 Notice suricata [100447] <Notice> -- rule reload starting 2025-03-21T02:05:29 Notice suricata [100447] <Notice> -- rule reload complete 2025-03-21T02:04:27 Notice suricata [100447] <Notice> -- rule reload starting 2024-11-18T20:42:44 Notice suricata [100447] <Notice> -- Threads created -> W: 8 FM: 1 FR: 1 Engine started. 2024-11-18T20:42:27 Warning suricata [100447] <Warning> -- flowbit 'ET.ZenRATUpdate' is checked but not set. Checked in 2047762 and 0 other sigs 2024-11-18T20:42:27 Warning suricata [100447] <Warning> -- flowbit 'ET.ZenRATStatus' is checked but not set. Checked in 2047757 and 0 other sigs 2024-11-18T20:42:27 Warning suricata [100447] <Warning> -- flowbit 'ET.ZenRATPing' is checked but not set. Checked in 2047755 and 0 other sigs 2024-11-18T20:41:55 Notice suricata [100660] <Notice> -- This is Suricata version 7.0.6 RELEASE running in SYSTEM mode
Additional context
None
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense Business Edition 25.4 (amd64) FreeBSD: 14.2-RELEASE-p2 OpenSSL: 3.0.16 Running on a DEC 3862 Device
Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
The easiest option to gain traction is to close this ticket and open a new one using one of our templates.
The number of installed rules might play a role here (https://redmine.openinfosecfoundation.org/issues/1603). Am I reading the log right that you have over 2 million rules installed? In some cases a different pattern matcher might help (hyperscan)
The number of installed rules might play a role here (https://redmine.openinfosecfoundation.org/issues/1603). Am I reading the log right that you have over 2 million rules installed? In some cases a different pattern matcher might help (hyperscan)
I have about 228,750 rules according to the entries count (some are enabled, some are not), these entries are from clicking the "Download & Update" button on the "Download" tab.. I did a lot more digging around and as a newbie it appears I created 500 "User Defined" rules somehow, no clue how? Since I could not delete the rules in mass (developer hint: give us a way to do mass deletions), I decided to do a factory reset. I created a backup config file, edited the config file to remove those 500 user defined rules. After the factory reset, I restored the edited config file and set the "Pattern Matcher" to "Hyperscan". The system has been up and running now for over 2.5 hours and the IDS has not shutdown.
I am facing the same issue since 2025-05-18
Same issue in the log:
2025-05-22T10:30:04 | Error | suricata | [101184] <Error> -- Just ran out of space in the queue. Please file a bug report on this | 2025-05-22T10:29:36 | Error | suricata | [300723] <Error> -- Just ran out of space in the queue. Please file a bug report on this | 2025-05-22T10:28:09 | Error | suricata | [101174] <Error> -- Just ran out of space in the queue. Please file a bug report on this | 2025-05-22T10:26:26 | Error | suricata | [102731] <Error> -- Just ran out of space in the queue. Please file a bug report on this | 2025-05-22T10:22:45 | Error | suricata | [101164] <Error> -- Just ran out of space in the queue. Please file a bug report on this | 2025-05-18T04:00:59 | Error | suricata | [101132] <Error> -- Just ran out of space in the queue. Please file a bug report on this
I have no custom rules, only 2689 rule adjustments and 209811 RUle ENtries but not all are active
How can I help in debugging this or fix it on my end?
Ok so simpy changing the Pattern Matching to "hyperscan" fixed the issue.... There seems to be a bug in the "Default" Pattern Matcher
This does not fix this bug as now nothing seem to be matched anymore. Something broke during the latest updates, where are the suricata logs so I can check the last version that worked? UPDATE: I now checked my logs and it looks like suricata started to crash after 16/4, will say after the 25.1.5 release
I am having this issue now as well. I was on 25.1.2 and still had the issue. I just upgraded to 25.1.7 and am still having this issue.
I changed the scanner to Hyperscan, will see if I start to get any detections. But this is an issue.
For what it's worth I am bare metal, running on an N100 CPU w/ 16GB and tons of free space (256gb ssd).
This just started happing back around April/May I think.
Same here. Running OPNsense 25.1.7_4-amd64 and have 210943 entries in 'Rules' tab.
Same issue - Error message in log file: Just ran out of space in the queue. Please file a bug report on this.
OPNsense 25.1.8_1-amd64 on a fanless mini pc.
From the log: 2025-06-13T09:25:43-07:00 Error suricata [100259] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-06-13T09:24:02-07:00 Error suricata [101507] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-06-13T09:23:14-07:00 Error suricata [101615] <Error> -- error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"check.cybaf.icu"; depth:15; fast_pattern; isdataat:!1,relative; no" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 50567 2025-06-13T09:23:14-07:00 Error suricata [101615] <Error> -- no terminating ";" found 2025-06-13T09:21:18-07:00 Error suricata [101351] <Error> -- Just ran out of space in the queue. Please file a bug report on this 2025-06-13T09:20:01-07:00 Warning suricata [101351] <Warning> -- 1 rule files specified, but no rules were loaded! 2025-06-13T09:17:15-07:00 Warning suricata [101351] <Warning> -- 1 rule files specified, but no rules were loaded!
Update, I made an edit to the Settings > Advanced section - Pattern matcher - change to Hyperscan
Seems to be working for now.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.