Can't start Suricata interface

Zibzob

Hello everyone,

I'm facing issues using Suricata, namely starting interfaces I create.

In short terms, the interface status is always set to "ENABLED" while it is in fact disabled and a red cross is next to it (meaning one has to start it). When one click on the red button to start the interface, it reloads the page but the status doesn't change.

No log in the firewall can help determine the cause of this problem. Here is an extract anyway:

Nov 27 13:21:16 php-fpm[90743]: /suricata/suricata_interfaces.php: Toggle (suricata starting) for WAN(lan)…
Nov 27 13:21:16 php-fpm[90743]: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: WAN …
Nov 27 13:21:16 php-fpm[90743]: /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: WAN…
Nov 27 13:21:16 php-fpm[90743]: /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for WAN…
Nov 27 13:21:17 php-fpm[90743]: /suricata/suricata_interfaces.php: [Suricata] Suricata START for lan(em0)…

This problem occurs on both 2.2.5 and 2.2.4. I believe it is not related to pfSense, rather the Suricata package. Why ? Because an older installation (on 2.2.4) has the previous Suricata package and it works just fine.

I have checked the Suricata website for similar bugs but I've had no luck so far.

Anyone else with the same problem here ?

Thanks

Zibzob

Just a quick update: on the "healthy" install, Suricata is in 2.0.9 (pkg v2.1.9) while on newer installs it is in 2.0.9 (pkg v2.1.9.1).

This is definitely a package issue.

bmeeks

Post the output of /var/log/suricata/xxxx/suricata.log.  There will be a log file for each interface you have defined.  The "xxxx" will be a unique sub-directory for each defined Suricata interface.

Bill

Zibzob

Hey Bill

The log can be found here.

bmeeks

These errors are your problem –

28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
28/11/2015 -- 11:47:31 - <info>-- RunModeIdsPcapAutoFp initialised
28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
28/11/2015 -- 11:47:31 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></error></error></error></error> 

How much memory do you have in your firewall?  The new Suricata version bumped up the default for Stream Memcap to 64 MB from 32 MB to fix issues identified in this thread:  https://forum.pfsense.org/index.php?topic=93926.msg521334#msg521334

I'm not positive this is your issue, but it could be related.  At any rate, Suricata is failing to allocate the memory it needs on your system.  You need to find out why.

Bill

Zibzob

I tested Suricata on two different setups: one physical machine with 32GiB of RAM (plenty enough just to have one interface with default settings) and a virtual one with 4GiB. The usage was very low, almost always around 2-3% in both cases.

I followed the advice on the topic you linked and increased the allocated memory from 64 to 128MiB (just to have enough headroom even though the required amount of memory with 8 threads is 54MiB). Indeed, it did the trick and the interface is now up.

Next time I'll pay attention to the number of threads and tweak the settings accordingly.

Thanks for you help !

bmeeks

You're welcome.  The thanks is really due to the guys in that linked thread who found the cause and fix.  If I recall correctly, Suricata upstream fixed a bug in that part of the code.  The fix then made installs that formerly worked (incorrectly it turns out, but they would start anyway) stop working and throw the memory allocation error.

Bill