Suricata - interface show the service as stopped after sometime.
-
@tchadrack said in Suricata - interface show the service as stopped after sometime.:
@bmeeks Okay, i've done it. I will return later with more information about what happened. Thank you
Okay. Also, I did not see it in your process list captures, but make sure you are NOT using the Service Watchdog package to monitor Suricata. That package is not compatible with either Suricata or Snort.
-
root 78291 0.0 4.8 765872 291224 - Ss 17:00 6:31.07 /usr/local/bin/suricata -i pppoe0 root 86453 0.0 5.3 872748 325348 - Ss 17:00 6:37.23 /usr/local/bin/suricata -i re0 -DUp to now the web interface is showing the suricata service as up and running (pid files present in /var/run)
Watchdog is running, but not enabled for suricata
-
@tchadrack said in Suricata - interface show the service as stopped after sometime.:
root 78291 0.0 4.8 765872 291224 - Ss 17:00 6:31.07 /usr/local/bin/suricata -i pppoe0 root 86453 0.0 5.3 872748 325348 - Ss 17:00 6:37.23 /usr/local/bin/suricata -i re0 -DUp to now the web interface is showing the suricata service as up and running (pid files present in /var/run)
Watchdog is running, but not enabled for suricata
Okay. I think I may know what could be happening. I notice you appear to have stats collection enabled based on the log entries I saw in the
suricata.logsnippet you posted. I'm suspecting your instance is either taking a long time to shutdown (due to collecting and printing the stats summary) or it is not actually fully shutting down during the rules update. But the PHP function that restarts Suricata after a rule update does unconditionally delete the PID file when stopping the binary to be sure the subsequent restart will succeed. I think I may need to make that code "smarter" so that it does more thorough checks before deleting the PID.The change I had you make skips restarting the binary on rules updates. It instructs Suricata to reload the rules while still running. That way the PID file is not deleted. The only downside to that is a temporary increase in RAM consumption while the rules swap is happening. That can be a problem only with installs that have limited RAM.
-
@bmeeks Ok, Thankyou.
-
@tchadrack said in Suricata - interface show the service as stopped after sometime.:
@bmeeks Ok, Thankyou.
I also recall, quite some time back- maybe around the time Suricata upstream was still in the 2.x or 3.x version branch- that sometimes the binary would not respond to the first "shutdown" command issued. It would sometimes take two cycles of issuing shutdown to the process to get Suricata to honor the request. Perhaps that is happening here again in this particular instance. The one thing you appear to have enabled that is not normally enabled by the majority of users is the stats collection option. That may figure in here.
I will try and replicate this in my test virtual machine environment. I don't normally test with stats collection enabled, so I need to specifically test with that option enabled.
-
@tchadrack:
I was not able to replicate the exact behavior you are seeing, but I did find some potential edge-case scenarios where the PID file might get deleted prematurely.I've submitted Pull Requests to address some issues in the package and also cleanup the Suricata binary startup and shutdown scripts. Look for a new 7.0.8_1 Suricata package version to appear in the near future containing these improvements.
The Pull Requests are waiting on the Netgate developer team to review and merge them into the pfSense branches for CE, DEVEL, and Plus. Here is the PR for the current CE Release: https://github.com/pfsense/FreeBSD-ports/pull/1404.
-
@bmeeks Just updated to 7.0.8_1. Thanks !
-
@btspce said in Suricata - interface show the service as stopped after sometime.:
@bmeeks Just updated to 7.0.8_1. Thanks !
I am cautiously optimistic this update helps with your issue. But since I could not directly reproduce the problem in my test environment, I had to proceed with a bit of guess as to what the cause and fix might be.
Please post back here later with an update.
-
@bmeeks Using the "Live Rule Swap on Update" option checked, resolves the problem. Suricata worked for several days, with no issue.
I updated to the new version of suricata, unchecked "Live Rule Swap on Update" to test and see what would happen.
Unfortunately, the problem continues, so I am still using the Live Rule Swap on Update, that is working very well.
-
Thermal Sensors
Zone 1: 29.9 °C
Zone 0: 27.9 °CName ..**
User admin@192.168..** (Local Database)
System pfSense
Netgate Device ID: ******************
BIOS Vendor: American Megatrends Inc.
Version: F2
Release Date: Mon Oct 7 2013
Version 2.7.2-RELEASE (amd64)
built on Fri Dec 8 17:55:00 -03 2023
FreeBSD 14.0-CURRENTThe system is on the latest version.
Version information updated at Sat Feb 1 9:35:25 -03 2025
CPU Type Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
Hardware crypto Inactive
Kernel PTI Enabled
MDS Mitigation Inactive
Uptime 1 Day 03 Hours 20 Minutes 04 Seconds
Current date/time
Sat Feb 1 9:44:46 -03 2025
DNS server(s)
8.8.8.8
8.8.4.4
Last config change Sat Feb 1 9:05:02 -03 2025
State table size
0% (222/1000000) Show states
MBUF Usage
5% (18856/371768)
Temperature
27.9°C
Load average
0.47, 0.48, 0.42
CPU usage
4%
Memory usage
53% of 5980 MiB
SWAP usage
17% of 3851 MiBDISKS:
Mount Used Size Usage
/ 28G 447G
7% of 447G (ufs)SERVICES:
arpwatch Arpwatch Daemon
bandwidthd BandwidthD bandwidth monitoring daemon
captiveportal Captive Portal: **********
darkstat Darkstat bandwidth monitoring daemon
dpinger Gateway Monitoring Daemon
kea-dhcp4 Kea DHCP Server
ntopng ntopng Network Traffic Monitor
ntpd NTP clock sync
openvpn OpenVPN server: *************
pfb_dnsbl pfBlockerNG DNSBL service
pfb_filter pfBlockerNG firewall filter service
radiusd FreeRADIUS Server
sshd Secure Shell Daemon
suricata Suricata IDS/IPS Daemon
syslogd System Logger Daemon
unbound DNS Resolver
vnstatd Status Traffic Totals data collection daemonS.M.A.R.T. Status
Drive Ident S.M.A.R.T. Status
ada0 WD-************ PASSED
