Suricata fails to start
-
You need to run this on the CLI to create 'snort2c' in 'Tables'.
pfctl -t snort2c -T add 1.1.1.1
Note that you have to re-run every time you reboot pfsense.
-
You need to run this on the CLI to create 'snort2c' in 'Tables'.
pfctl -t snort2c -T add 1.1.1.1
Note that you have to re-run every time you reboot pfsense.
This should never be necessary. pfSense itself is supposed to automatically create that table upon boot. If your system does not, then something is wrong with your installation. Try the trick from this thread and see if it will fix your problem – https://forum.pfsense.org/index.php?topic=82268.msg450204#msg450204
Bill
-
Sorry for the delay for the followup, I was on vacation this past week and just realized that this thread was still unresolved. In response to Bill's first reply, I have tried to run:
/usr/local/etc/rc.d/suricata.sh start
but nothing is happening.
However, I can be more precise in my error reporting. If I run the following command:
/usr/pbi/suricata-amd64/bin/suricata -i re1 -D -c /usr/pbi/suricata-amd64/etc/suricata/suricata_19353_re1/suricata.yaml –pidfile /var/run/suricata_re119353.pid
I get the following error on the console:
6/8/2015 -- 20:34:31 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - Failed to parse configuration file at line 377: did not find expected key
Here is the content of my YAML file around line 377 (I have prefixed each line with the line number followed by a colon and a space):
373: ############################################################## #############
374: # Configure libhtp.
375: libhtp:
376: default-config:
377: personality: IDS
378: request-body-limit: 4096
379: response-body-limit: 4096
380: double-decode-path: no
381: double-decode-query: no
382: uri-include-all: noMy system rebooted July 31st, but suricata failed to restart on reboot.
Martin</error>
-
Sorry for the delay for the followup, I was on vacation this past week and just realized that this thread was still unresolved. In response to Bill's first reply, I have tried to run:
/usr/local/etc/rc.d/suricata.sh start
but nothing is happening.
However, I can be more precise in my error reporting. If I run the following command:
/usr/pbi/suricata-amd64/bin/suricata -i re1 -D -c /usr/pbi/suricata-amd64/etc/suricata/suricata_19353_re1/suricata.yaml –pidfile /var/run/suricata_re119353.pid
I get the following error on the console:
6/8/2015 -- 20:34:31 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - Failed to parse configuration file at line 377: did not find expected key
Here is the content of my YAML file around line 377 (I have prefixed each line with the line number followed by a colon and a space):
373: ############################################################## #############
374: # Configure libhtp.
375: libhtp:
376: default-config:
377: personality: IDS
378: request-body-limit: 4096
379: response-body-limit: 4096
380: double-decode-path: no
381: double-decode-query: no
382: uri-include-all: noMy system rebooted July 31st, but suricata failed to restart on reboot.
Martin</error>
This is a bug in the file /usr/local/pkg/suricata/suricata_yaml_template.inc. I'll fix it in the next Suricata update.
Try this edit to the file. Open it using Diagnostics > Edit File from the pfSense menu. Scroll down to the bottom of the file and locate this section of code:
########################################################################### # Configure libhtp. libhtp: default-config: {$http_hosts_default_policy} {$http_hosts_policy}Remove the leading spaces from the line containing "{$http_hosts_default_policy}" and save the change. It should look like this after editing:
########################################################################### # Configure libhtp. libhtp: default-config: {$http_hosts_default_policy} {$http_hosts_policy}Try starting Suricata from the GUI using the icons on the SURICATA INTERFACES tab.
Bill
-
I am having this issue now on a new install on a different box. Running the command to add snort2c doesn't help either.
-
Bill,
The last fix that you posted on this thread works for me. I have restarted suricata through the interface menu and the system recreates the file with the proper formatting now. Thanks a lot.
Martin
-
Bill,
The last fix that you posted on this thread works for me. I have restarted suricata through the interface menu and the system recreates the file with the proper formatting now. Thanks a lot.
Martin
Thanks for the feedback. I will fix this in the next Suricata update.
Bill
-
Had the same issue and tried to edit the file. the fix did not work however just a simple package reinstall did the trick. Great Work on the package!!!
-
Has there been a regression? Package version 3.2.1_3.
I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS.
-
Has there been a regression? Package version 3.2.1_3.
I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS.
I don't see a regression in the current release. I also tested in this in the upcoming 4.0.0 package update and it appears OK there as well.
Bill
-
I fixed it by doing both of these suggested fixes :
1. "Remove the leading spaces from the line containing "{$http_hosts_default_policy}" and save the change. "
2. "I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS."After that I reinstalled the package and it works.
Great job!
