Suricata Not Starting on Reboot and Stops After a short Period of Operation

datajunkie

As it states in the subject.  Suricata is enabled on the interfaces in question, but won't start during a reboot.  Additionally, when manually started it will operate fine for a few minutes to a few hours, but then I see that the service has stopped suddenly when I go take a look.  I'm not seeing anything in the logs indicating errors.

Where should I start to identify what's happening?

bmeeks

Troubleshooting this one may be tricky given its sort of random nature.

Suricata could be running out of memory, but it should log some kind of error before just stopping.

It might be you have traffic triggering an obscure rule with a bug in it that causes a crash, but I would say that is unlikely because with all the people using Suricata and various rules you would expect others to have the same problem with the rule.

It could be a hardware problem (most likely with a flaky memory chip) that manifests itself only during high resource utilization.

When you say it runs for a "short period", just how long is that?  Seconds, minutes or maybe an hour or two?

Which logs are you looking at for errors?  Suricata has its own log you can view on the LOGS tab.  Some info (although limited) will be in the pfSense system log.

Bill