Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata won't start

    Scheduled Pinned Locked Moved
    Traffic Monitoring
    2
    4
    672
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spiceygas
      last edited by

      Brand new pfSense box.

      Dual Xeon 2660 (10 cores, 20 threads each)
      32 GB RAM

      I setup Suricata, but it won't start. The syslog says it's starting, but then nothing happens. And the services tab says that it's not running.

      Oct 11 19:11:10	php-fpm	407	Starting Suricata on LAN_SECURE_DEVICES(ix1) per user request...
Oct 11 19:11:10	php	10674	[Suricata] Updating rules configuration for: LAN_SECURE_DEVICES ...
Oct 11 19:11:10	php	10674	[Suricata] Enabling any flowbit-required rules for: LAN_SECURE_DEVICES...
Oct 11 19:11:10	php	10674	[Suricata] Building new sid-msg.map file for LAN_SECURE_DEVICES...
Oct 11 19:11:11	php	10674	[Suricata] Suricata START for LAN_Secure_Devices(ix1)...

      I read online that if your pfSense box has greater than 4GB RAM then you might need to bump the memory allocated on for "Stream Memory Cap." (Default = 131,217,728 bytes). I've tried bumping that to double, quadruple, 16x. Nothing. Same outcome. Suricata won't start, and the sys log has the exact same content (and no error message).

      Any ideas?

      S 1 Reply Last reply Reply Quote 0
      • S
        spiceygas @spiceygas
        last edited by

        I made some progress.

        • In Suricata global settings, I checked the box to copy Suricata messages to system log.
        • Tried starting Suricata again. Checked system log and found this:
        <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_ix148355.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_ix148355.pid. Aborting!
        • Did some googling, and everyone says to just hard kill that process. Diagnostics ==> Command Prompt ==> rm -f /var/run/suricata_ix148355.pid (or whatever your PID is in the error log)
        • Increased Stream Memory Cap (Services ==> Suricata ==> Select Interface ==> Flow/Stream). I doubled it.
        • Run Suricata. This time it started!
        • Disabled copying Suricata messages to syslog.

        It ran for a few minutes, and then died.

        [102054] <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
[102054] <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
[102054] <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
        • Bumped Stream Memory Cap to 4x default.
        • Deleted the PID again.
        • Restarted.

        It appears stable... I'm not really confident the service will stay up, so I guess I have to watch it closely.

        This feels like a lot of shenanigans to get a plugin running. I'm open to suggestions/feedback if there is a better or more stable way to get this running.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @spiceygas
          last edited by

          @spiceygas said in Suricata won't start:

          exists but appears stale

          Generally that happens if the process dies and the .pid file is left over.

          FWIW we've set up Suricata on most of our clients' routers and not had problems getting it working. Granted they are Netgate hardware, and not 32 GB RAM.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          S 1 Reply Last reply Reply Quote 0
          • S
            spiceygas @SteveITS
            last edited by

            It's been ~24 hours and it seems to still be running. I'll keep an eye on it, but I hope it's stable.

            Just seems silly that the package defaults to such a low amount of memory that it can't auto-start. During my googling adventures, I found someone had posted a formula to calculate how much RAM you should allocate, and if that's accurate then I wonder why the devs didn't just compute that for you...

            Anyways, I appreciate the response and I'm happy it's now working.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post