Suricata Uninstalled on Updates?

Lurick · Oct 3, 2023, 6:31 PM

After updating to today's build I saw the same thing, grabbed this from system.log
Nothing really stands out here but if there is another place to check let me know.

Oct 3 14:09:42 firewall SuricataStartup[27159]: Suricata STOP for LAN(46014_ix1)...
Oct 3 14:09:50 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package removal for suricata.
Oct 3 14:09:51 firewall php[25784]: [Suricata] Suricata package uninstall in progress...
Oct 3 14:09:53 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_check_for_rule_updates.php
Oct 3 14:09:54 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_check_cron_misc.inc
Oct 3 14:09:56 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_geoipupdate.php
Oct 3 14:09:57 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Suricata pkg removed Dashboard Alerts widget.
Oct 3 14:09:58 firewall php[25784]: [Suricata] Flushing all blocked hosts from <snort2c> table due to package removal...
Oct 3 14:09:58 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed the Suricata package.
Oct 3 14:09:58 firewall php[25784]: [Suricata] The package has been removed from this system, but the configuration settings were retained...
Oct 3 14:09:59 firewall php[91337]: /etc/rc.packages: Configuration Change: (system): Removed suricata package.
Oct 3 14:09:59 firewall pkg-static[25664]: pfSense-pkg-suricata-7.0.0_1 deinstalled
Oct 3 14:10:00 firewall pkg-static[25664]: suricata-7.0.0 deinstalled

SteveITS · Oct 3, 2023, 7:07 PM

@Lurick In general, if packages are left installed during an upgrade, my understanding is that it's normal for the upgrade process to uninstall and reinstall the packages, to get them current (on the right PHP version, etc.). It sounds like your issue is more that the upgrade process does not reinstall the package. Is there a later log entry for that attempt?

Lurick · Oct 3, 2023, 8:18 PM

@SteveITS That is correct, it does the uninstall but never the reinstall, I have to manually do that.
No later log entry until I went in to manually install via the GUI.

SteveITS · Oct 3, 2023, 8:47 PM

@Lurick Do other pfSense packages reinstall OK?

Lurick · Oct 4, 2023, 2:49 PM

@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd

SteveITS · Oct 4, 2023, 2:49 PM

@Lurick said in Suricata Uninstalled on Updates?:

@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd

@bmeeks may have some insight. We don't normally run dev versions.

bmeeks · Oct 4, 2023, 4:04 PM

@SteveITS said in Suricata Uninstalled on Updates?:

@bmeeks may have some insight. We don't normally run dev versions.

I have no clue. The Suricata package itself is not in charge of the automated removal nor the reinstall. It's up to pfSense to make the calls to the pkg utility to accomplish these tasks. I don't know what process is being used within pfSense to do this.

Lurick · Oct 6, 2023, 10:47 AM

@SteveITS or @bmeeks
Hmmm, any chance you might know of a good place to check for logs to see if I can narrow things down a bit?
It's a bit difficult when watching the VM console to get anything so wasn't sure if there might be a log file saved somewhere I'm missing.

bmeeks · Oct 6, 2023, 1:55 PM

Everything related to package removals and installs is logged in the pfSense system log so far as I am aware.

Lurick · Oct 9, 2023, 10:43 AM

@bmeeks Werid, yah basically what I posted earlier is all I see in the logs =/

Lurick · Oct 15, 2023, 10:28 AM

@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering.

bmeeks · Oct 15, 2023, 2:52 PM

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering.

No, there would be no relation to Suricata 7.0.0 being available in the snapshots branch.

Lurick · Oct 15, 2023, 2:52 PM

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

bmeeks · Oct 15, 2023, 5:58 PM

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

I will test this today in my RELEASE virtual environment. I do not currently have a functioning DEVEL snapshots virtual environment, so I can't test there.

But if this were a widespread problem, I would expect to be seeing a ton of posts here about it.

bmeeks · Oct 15, 2023, 7:39 PM

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

I just tested this on a 2.7.0 CE virtual machine and was unable to reproduce your stated issue. I installed, removed, and then reinstalled the Suricata 6.0.13 package and did not lose any of the previous configuration data.

Are you sure your GLOBAL SETTINGS tab has this option checked as shown below?
login-to-view

I do not currently have a functional DEVEL snapshot testing environment, so I can't test the 23.09 beta snapshots.

Lurick · Oct 15, 2023, 8:59 PM

@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.

bmeeks · Oct 16, 2023, 3:36 PM

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.

Okay, maybe I'm confused or misunderstood your initial post. I thought you meant anytime you removed and reinstalled the package it lost the configuration. Your statement I quoted above contradicts that.

So do you mean that only when doing an update to pfSense itself you lose the configuration? If so, describe exactly what you mean by "losing the configuration". Do all the Suricata interfaces disappear? Or do you really mean Suricata is not appearing under the SERVICES menu? If the latter, that simply means the reinstall is either not happening, is not finished, or started and bailed out. I would expect something to be logged in the pfSense system log in any of those events.

Never mind -- went back and read the whole thread again and realized I confused this one with something else. I have no idea why pfSense is removing the package and then failing to reinstall.

The only possibility is it needs more time. How long have you waited to see if it would do anything on its own?

Lurick · Oct 16, 2023, 3:36 PM

@bmeeks Good point, I've only waited a couple minutes after the GUI came back.
I'll give it about 10 minutes next time and see if anything happens :)

Lurick · Oct 16, 2023, 4:21 PM

Waited 30 minutes after upgrade today and still no install :(

SteveITS · Oct 16, 2023, 4:29 PM

@Lurick I don't know if this is helpful but if WAN wasn't connected, or IPv6, or DNS, or something, the package (re)install might try and fail. Though, I'd think that would affect all packages.

Usually I follow the upgrade guide and uninstall at least "big" packages like Suricata and pfBlocker, though I leave things like OpenVPN export or System Patches for the system to reinstall.

Have you upgraded to the 23.09 beta that was released this weekend?