Suricata does not start the interface
-
I am new to Pfsense. I installed it on a test server at home (overkill) and I could not get the Suricata to run. I read through multiple posts here, Reddit and other random sites that state I need to increase Flow/Stream Stream Memory Cap. I tried both increasing it and decreasing it and nothing seems to work. I uninstalled the package and reinstalled it and it didn't work either.
The interface starts when I first create it it and then it stops in few seconds later. Then I cannot restart at all.
I followed instructions by Lawrence Systems at: https://www.youtube.com/watch?v=KRlbkG9Bh6I
Because I do not have suitable hardware for Pfsense currently I am running this on an over the top hardware that is laying around in my house:
-HP G7
-32 GB of RAM
-2 Intel Xenon E5620 @ 2.40 GHzI am not sure if I can run PFsense on a VM so I decided to install just PFsense on the server. I know this is overkill and wate of power, but the serevr is not doing anything at the moement.
Someone mentioned this 32 GB RAM may be the reason why I cannot get the Suricata up and running. People talk about log files, but I don't even know where to pull the log files.
Any help would be appreciated.
Thank you.
Found the log file and this is what I get:
24/11/2019 -- 12:08:13 - <Notice> -- This is Suricata version 4.1.5 RELEASE
24/11/2019 -- 12:08:13 - <Info> -- CPUs/cores online: 16
24/11/2019 -- 12:08:13 - <Info> -- HTTP memcap: 67108864
24/11/2019 -- 12:08:14 - <Notice> -- using flow hash instead of active packets
24/11/2019 -- 12:08:14 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_bce11963.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_bce11963.pid. Aborting! -
Finally, I found the solution to my own problem. I am posting this here for others.
Deleting the pid file and increasing the memory did not work. Instead, I deleted the interface and increased the Flow Memory Cap on the newly created interface to the maximum I have, which is 33554432 bytes = 32 GB. For some reason, any value lower than that will not work. This makes no sense...... However, at least it works now. I read somewhere that you can be calculated as per: https://forum.netgate.com/topic/84756/suricata-issues/3 -
@mssca said in Suricata does not start the interface:
Finally, I found the solution to my own problem. I am posting this here for others.
Deleting the pid file and increasing the memory did not work. Instead, I deleted the interface and increased the Flow Memory Cap on the newly created interface to the maximum I have, which is 33554432 bytes = 32 GB. For some reason, any value lower than that will not work. This makes no sense...... However, at least it works now. I read somewhere that you can be calculated as per: https://forum.netgate.com/topic/84756/suricata-issues/3This is wrong, you said Flow Memory cap..... This is incorrect, you must change "Stream Memory Cap" value.
I have over 65gb of memory installed in my server and I had the same issue as above with suricata not starting.
I had to use a value of "65435000000" in the stream memory cap input to get it to work.
NOTE: every time you change this value in stream memory cap you DO need to delete the interface and re-add it again and then immediately change the SMC value and then try to restart suricata. the changes to Stream memory cap field will not take effect unless you delete it first and then re-add it, if you don't suricata will not start with your newly entered SMC value......
I thought I'd add to this for those in the future that build a pfsense box out of an old server with a ton of memory and dual xeon processors.
attached are pics of my setup and suricata now works on it.
-
@fox95 said in Suricata does not start the interface:
@mssca said in Suricata does not start the interface:
Finally, I found the solution to my own problem. I am posting this here for others.
Deleting the pid file and increasing the memory did not work. Instead, I deleted the interface and increased the Flow Memory Cap on the newly created interface to the maximum I have, which is 33554432 bytes = 32 GB. For some reason, any value lower than that will not work. This makes no sense...... However, at least it works now. I read somewhere that you can be calculated as per: https://forum.netgate.com/topic/84756/suricata-issues/3This is wrong, you said Flow Memory cap..... This is incorrect, you must change "Stream Memory Cap" value.
I have over 65gb of memory installed in my server and I had the same issue as above with suricata not starting.
I had to use a value of "65435000000" in the stream memory cap input to get it to work.
NOTE: every time you change this value in stream memory cap you DO need to delete the interface and re-add it again and then immediately change the SMC value and then try to restart suricata. the changes to Stream memory cap field will not take effect unless you delete it first and then re-add it, if you don't suricata will not start with your newly entered SMC value......
I thought I'd add to this for those in the future that build a pfsense box out of an old server with a ton of memory and dual xeon processors.
attached are pics of my setup and suricata now works on it.
The reason you need such a large stream memcap value is because of the large number of CPUs (40 CPUs according to your screenshot). When you have outsized hardware configurations, the default Suricata settings are seldom going to be correct.
-
@bmeeks i understand this but arriving at the necessary value is a bit of a twisted path when reading other threads. some say to use a formula to determine the value, some say to keep increasing it 4mb at a time until it works (which this type of trial and error takes forever with 65gb of ram if starting at the default value in pfsense...... ) some say just add a 0 to end of the existing values(didn't work) some say to delete some files(didn't work)
but what does work, is deleting the interface each time you want to make a change to the value because if you don't whatever new value you enter makes no difference. this was the original posters best advice.
anyways, jumping straight to the max value of my installed ram seemed to do the trick and hopefully helps someone in the future who searches and find this thread.
btw for reference im using an older (2014) lenovo rd540 server with 7 physical eth ports, dual xeon cpu, ton of ram. its out-dated for server use. but i felt re-purposing it for pfsense made sense....it's very adequate and then some. for sure better than tossing it in the bin or selling it off on ebay for $50
-
@fox95 said in Suricata does not start the interface:
but what does work, is deleting the interface each time you want to make a change to the value because if you don't whatever new value you enter makes no difference. this was the original posters best advice.
You should not have to delete the interface. I suspect what is actually happening is the stale PID file is preventing Suricata from starting with the new stream memcap value.
Each time Suricata tries to start, the daemon creates a PID file in
/var/run/on pfSense. But due to the stream memcap error, the startup of the daemon is aborted and it fails to clean up after itself (leaving the now "stale" PID file). Simply go delete that file and it should start fine (once you get it happy with the stream memcap value).Notice the original error the OP posted about:
24/11/2019 -- 12:08:14 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_bce11963.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_bce11963.pid. Aborting!It is complaining about the leftover PID file. Simply deleting that referenced file will let it start. The reason deleting the interface appears to work is that each time an interface is created, a new UUID is also created. So that 11963 number that is part of the file name will change when a new interface is created, and therefore the daemon will not detect an "existing" file matching the new UUID.
-
D DaddyGo referenced this topic on
