Suricata bug

DiskWizard

24/12/2014 – 20:20:19 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory

Double slash troubles ? /usr/local/etc/suricata//suricata.yaml</error>

bmeeks

@DiskWizard:

24/12/2014 – 20:20:19 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory

Double slash troubles ? /usr/local/etc/suricata//suricata.yaml</error>

There is something seriously wrong with the config on the box throwing this error. That is not even the correct path. It should be /usr/pbi/suricata_amd64/…

Have you tried totally wiping this box and reinstalling pfSense 2.2 from scratch on it using the full-install image?

Bill

DiskWizard

This is exactly what I did 4 days ago. Gonna give it another fresh install.

tcsac

I'm also seeing:
kernel: pid 22127 (suricata), uid 0: exited on signal 4 (core dumped)

When I try to start suricata.

Where exactly are you seeing this:
24/12/2014 – 20:20:19 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory</error>

DiskWizard

8 Shell

suricata -T

bmeeks

I have confirmed that on some virtual machine installs Suricata will core dump on an illegal instruction. The problem happens due, I think, to some kind of bug in the C compiler on FreeBSD 10.1. I have not confirmed this.

For you folks seeing a Suricata core dump, can you try running this from the command line and post back what you get?

suricata --build-info

Normally that line should print out a series of lines providing the build information and compiled options. If you are experiencing something else, hopefully it will print a little bit of a hint in the error message (like the "illegal instruction" message I see on some VMware virtual machines).

Bill

tcsac

This is Suricata version 2.0.4 RELEASE
Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible FreeBSD Clang 3.4 (tags/RELEASE_34/final 197956), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
Suricata Configuration:
AF_PACKET support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: yes
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes

libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no

Suricatasc install: no

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no

Generic build parameters:
Installation prefix (–prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/

Host: amd64-portbld-freebsd10.0
GCC binary: cc
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no

suricata -T provides the same thing:
25/12/2014 -- 10:37:22 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory</error>

bmeeks

@tcsac:

suricata -T provides the same thing:
25/12/2014 – 10:37:22 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory</error>

On pfSense, you can't just run "suricata -T" without also providing the proper YAML config file path. PBI packages on pfSense are configured to use a special path.

How did you install Suricata on this box? Was is it via System…Packages...Available Packages?

What prints in the system log when you attempt to start the Suricata service from Services…Suricata by clicking the red X icon?

~~Also, the paths for these settings are incorrect:

Installation prefix (–prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/

They should read /usr/pbi/suricata_amd64/ instead of /usr/local.~~

Last edit to scratch the statements above … the paths are apparently different on 2.2 versus 2.1 (which I was comparing to). The /usr/local prefix is OK on 2.2 as that is what is showing on my currently working 2.2-RC virtual machine.

Bill

tcsac

Yes installed from system packages.

Ack #133 (Req-Sent)
Dec 25 11:59:19 php-fpm[92494]: /suricata/suricata_interfaces.php: Toggle (suricata starting) for WAN(WAN)…
Dec 25 11:59:19 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: WAN …
Dec 25 11:59:28 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: WAN…
Dec 25 11:59:29 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for WAN…
Dec 25 11:59:31 suricata: 25/12/2014 -- 11:59:31 - <notice>-- This is Suricata version 2.0.4 RELEASE
Dec 25 11:59:31 barnyard2[19148]: Found pid path directive (/var/run)
Dec 25 11:59:31 barnyard2[19148]: Running in Continuous mode
Dec 25 11:59:31 barnyard2[19148]:
Dec 25 11:59:31 barnyard2[19148]: –== Initializing Barnyard2 ==--
Dec 25 11:59:31 barnyard2[19148]: Initializing Input Plugins!
Dec 25 11:59:31 barnyard2[19148]: Initializing Output Plugins!
Dec 25 11:59:31 barnyard2[19148]: Found pid path directive (/var/run)
Dec 25 11:59:31 barnyard2[19148]: +[ Signature Suppress list ]+ –--------------------------
Dec 25 11:59:31 barnyard2[19148]: +[No entry in Signature Suppress List]+
Dec 25 11:59:31 barnyard2[19148]: –-------------------------- +[ Signature Suppress list ]+
Dec 25 11:59:31 kernel: pid 18635 (suricata), uid 0: exited on signal 4 (core dumped)</notice>

bmeeks

@tcsac:

Yes installed from system packages.

Ack #133 (Req-Sent)
Dec 25 11:59:19 php-fpm[92494]: /suricata/suricata_interfaces.php: Toggle (suricata starting) for WAN(WAN)…
Dec 25 11:59:19 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: WAN …
Dec 25 11:59:28 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: WAN…
Dec 25 11:59:29 php-fpm[92494]: /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for WAN…
Dec 25 11:59:31 suricata: 25/12/2014 -- 11:59:31 - <notice>-- This is Suricata version 2.0.4 RELEASE
Dec 25 11:59:31 barnyard2[19148]: Found pid path directive (/var/run)
Dec 25 11:59:31 barnyard2[19148]: Running in Continuous mode
Dec 25 11:59:31 barnyard2[19148]:
Dec 25 11:59:31 barnyard2[19148]: –== Initializing Barnyard2 ==--
Dec 25 11:59:31 barnyard2[19148]: Initializing Input Plugins!
Dec 25 11:59:31 barnyard2[19148]: Initializing Output Plugins!
Dec 25 11:59:31 barnyard2[19148]: Found pid path directive (/var/run)
Dec 25 11:59:31 barnyard2[19148]: +[ Signature Suppress list ]+ –--------------------------
Dec 25 11:59:31 barnyard2[19148]: +[No entry in Signature Suppress List]+
Dec 25 11:59:31 barnyard2[19148]: –-------------------------- +[ Signature Suppress list ]+
Dec 25 11:59:31 kernel: pid 18635 (suricata), uid 0: exited on signal 4 (core dumped)</notice>

Have you ever installed Suricata on this firewall before? In other words, is there a existing configuration?

Can you provide the output of suricata.log from the LOGS VIEW tab?

Bill

tcsac

Before 2.0.4? Yes, I believe I installed suricata at an earlier release and let it upgrade. Tried uninstalling and re-installing but it made no difference.

25/12/2014 – 11:59:31 - <notice>-- This is Suricata version 2.0.4 RELEASE
25/12/2014 -- 11:59:31 - <info>-- CPUs/cores online: 4
25/12/2014 -- 11:59:31 - <info>-- Live rule reloads enabled
25/12/2014 -- 11:59:31 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
25/12/2014 -- 11:59:31 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
25/12/2014 -- 11:59:31 - <info>-- HTTP memcap: 67108864
25/12/2014 -- 11:59:31 - <info>-- DNS request flood protection level: 500
25/12/2014 -- 11:59:31 - <info>-- DNS per flow memcap (state-memcap): 524288
25/12/2014 -- 11:59:31 - <info>-- DNS global memcap: 16777216</info></info></info></info></info></info></info></info></notice>

tcsac

@bmeeks:

@tcsac:

suricata -T provides the same thing:
25/12/2014 – 10:37:22 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory</error>

On pfSense, you can't just run "suricata -T" without also providing the proper YAML config file path. PBI packages on pfSense are configured to use a special path.

How did you install Suricata on this box? Was is it via System…Packages...Available Packages?

What prints in the system log when you attempt to start the Suricata service from Services…Suricata by clicking the red X icon?

~~Also, the paths for these settings are incorrect:

Installation prefix (–prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/

They should read /usr/pbi/suricata_amd64/ instead of /usr/local.~~

Last edit to scratch the statements above … the paths are apparently different on 2.2 versus 2.1 (which I was comparing to). The /usr/local prefix is OK on 2.2 as that is what is showing on my currently working 2.2-RC virtual machine.

Bill

Maybe that's part of the problem? On my box at least, /usr/local/etc/suricata/ doesn't even exist. If I search for suricata.yaml, the only file that I find is:

/usr/pbi/suricata-amd64/local/etc/suricata/suricata_23278_pppoe0/suricata.yaml

I'm guessing that's the problem…?

bmeeks

@tcsac:

@bmeeks:

@tcsac:

suricata -T provides the same thing:
25/12/2014 – 10:37:22 - <error>- [ERRCODE: SC_ERR_FATAL(171)] - failed to open file: /usr/local/etc/suricata//suricata.yaml: No such file or directory</error>

On pfSense, you can't just run "suricata -T" without also providing the proper YAML config file path. PBI packages on pfSense are configured to use a special path.

How did you install Suricata on this box? Was is it via System…Packages...Available Packages?

What prints in the system log when you attempt to start the Suricata service from Services…Suricata by clicking the red X icon?

~~Also, the paths for these settings are incorrect:

Installation prefix (–prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/

They should read /usr/pbi/suricata_amd64/ instead of /usr/local.~~

Last edit to scratch the statements above … the paths are apparently different on 2.2 versus 2.1 (which I was comparing to). The /usr/local prefix is OK on 2.2 as that is what is showing on my currently working 2.2-RC virtual machine.

Bill

Maybe that's part of the problem? On my box at least, /usr/local/etc/suricata/ doesn't even exist. If I search for suricata.yaml, the only file that I find is:

/usr/pbi/suricata-amd64/local/etc/suricata/suricata_23278_pppoe0/suricata.yaml

I'm guessing that's the problem…?

The PBI wrappers should take care of directing things to the real path. I just noticed that you are trying to use Suricata on a PPPoE connection. That is not currently supported by the underlying binary (it's not a GUI package or pfSense limitation, it is a limitation of Suricata on FreeBSD).

By the way, here is what I would have expected as the remainder of the suricata.log contents …


25/12/2014 -- 14:46:24 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
25/12/2014 -- 14:46:24 - <info>-- preallocated 65535 defrag trackers of size 136
25/12/2014 -- 14:46:24 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
25/12/2014 -- 14:46:24 - <info>-- AutoFP mode using "Active Packets" flow load balancer
25/12/2014 -- 14:46:24 - <info>-- preallocated 1024 packets. Total memory 3508224
25/12/2014 -- 14:46:24 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/12/2014 -- 14:46:24 - <info>-- preallocated 1000 hosts of size 80
25/12/2014 -- 14:46:24 - <info>-- host memory usage: 358144 bytes, maximum: 16777216
25/12/2014 -- 14:46:24 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
25/12/2014 -- 14:46:24 - <info>-- preallocated 10000 flows of size 216
25/12/2014 -- 14:46:24 - <info>-- flow memory usage: 6434304 bytes, maximum: 33554432
25/12/2014 -- 14:46:24 - <info>-- IP reputation disabled
25/12/2014 -- 14:46:24 - <info>-- using magic-file /usr/share/misc/magic
25/12/2014 -- 14:46:24 - <info>-- Delayed detect disabled
25/12/2014 -- 14:46:31 - <info>-- 2 rule files processed. 16138 rules successfully loaded, 0 rules failed
25/12/2014 -- 14:46:31 - <info>-- 16146 signatures processed. 1074 are IP-only rules, 5578 are inspecting packet payload, 12087 inspect application layer, 72 are decoder event only
25/12/2014 -- 14:46:31 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
25/12/2014 -- 14:46:32 - <info>-- building signature grouping structure, stage 2: building source address list... complete
25/12/2014 -- 14:46:39 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
25/12/2014 -- 14:46:41 - <info>-- Threshold config parsed: 0 rule(s) found
25/12/2014 -- 14:46:41 - <info>-- Core dump size is unlimited.
25/12/2014 -- 14:46:41 - <info>-- alert-pf output device (regular) initialized: block.log
25/12/2014 -- 14:46:41 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_26555_em0/passlist parsed: 11 IP addresses loaded.
25/12/2014 -- 14:46:41 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
25/12/2014 -- 14:46:41 - <info>-- fast output device (regular) initialized: alerts.log
25/12/2014 -- 14:46:41 - <info>-- http-log output device (regular) initialized: http.log
25/12/2014 -- 14:46:41 - <info>-- Using 1 live device(s).
25/12/2014 -- 14:46:41 - <info>-- using interface em0
25/12/2014 -- 14:46:41 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
25/12/2014 -- 14:46:41 - <info>-- Found an MTU of 1500 for 'em0'
25/12/2014 -- 14:46:41 - <info>-- Set snaplen to 1516 for 'em0'
25/12/2014 -- 14:46:41 - <info>-- RunModeIdsPcapAutoFp initialised
25/12/2014 -- 14:46:41 - <info>-- stream "prealloc-sessions": 32768 (per thread)
25/12/2014 -- 14:46:41 - <info>-- stream "memcap": 33554432
25/12/2014 -- 14:46:41 - <info>-- stream "midstream" session pickups: disabled
25/12/2014 -- 14:46:41 - <info>-- stream "async-oneside": disabled
25/12/2014 -- 14:46:41 - <info>-- stream "checksum-validation": disabled
25/12/2014 -- 14:46:41 - <info>-- stream."inline": disabled
25/12/2014 -- 14:46:41 - <info>-- stream "max-synack-queued": 5
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly "memcap": 67108864
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly "depth": 0
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly "toserver-chunk-size": 2629
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly "toclient-chunk-size": 2511
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly.raw: enabled
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 4, prealloc 256
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 16, prealloc 512
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 112, prealloc 512
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 248, prealloc 512
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 512, prealloc 512
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 768, prealloc 1024
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 1448, prealloc 1024
25/12/2014 -- 14:46:41 - <info>-- segment pool: pktsize 65535, prealloc 128
25/12/2014 -- 14:46:41 - <info>-- stream.reassembly "chunk-prealloc": 250
25/12/2014 -- 14:46:41 - <notice>-- all 4 packet processing threads, 1 management threads initialized, engine started.
25/12/2014 -- 14:47:17 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

Bill

tcsac

Would be nice if the package description called that out. It's a pretty big gap (I realize it's on the upstream, but we could at least have a warning)

bmeeks

@tcsac:

Would be nice if the package description called that out. It's a pretty big gap (I realize it's on the upstream, but we could at least have a warning)

I will see about adding a note to the DESCR tag in the pkg_config entry for Suricata warning that PPPoE interfaces are not fully supported.

Bill

DiskWizard

This is Suricata version 2.0.4 RELEASE
Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible FreeBSD Clang 3.4 (tags/RELEASE_34/final 197956), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
Suricata Configuration:
AF_PACKET support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: yes
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes

libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no

Suricatasc install: no

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no

Generic build parameters:
Installation prefix (–prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/

Host: amd64-portbld-freebsd10.0
GCC binary: cc
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no

DiskWizard

2.2-RC (amd64)
built on Fri Jan 02 05:25:48 CST 2015
FreeBSD 10.1-RELEASE-p3

Suricata is back again ! :)

bmeeks

@DiskWizard:

2.2-RC (amd64)
built on Fri Jan 02 05:25:48 CST 2015
FreeBSD 10.1-RELEASE-p3

Suricata is back again ! :)

I had the pfSense Team recompile the Suricata binary so that this parameter should now say "no" instead of "yes" –


GCC march native enabled:                yes

You can see this by executing

suricata --build-info

from the command line.

This can be a problem on some platforms where the native CPU does not match up closely with the CPU of the package builder systems on the pfSense Repository side. When this parameter is set to "yes", the C compiler attempts to auto-detect the compiling machine's CPU and optimize the produced machine code. This is generally OK except for when there are some differences in supported instructions (for example, compiling on a Xeon but running the produced code on a Pentium). The Suricata binary from upstream defaults to enabling this parameter. It works fine so long as you compile and then run Suricata on the same hardware. In a package repository environment where the binary packages are built on one CPU architecture but then potentially executed on several different architectures, there can be issues.

Bill