Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata fail to start

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yummy909
      last edited by

      I am new to pfsense, so I am still learning. I been having trouble starting up my Suricata 4.0.12_2. I am running pfsense 2.4.3-RELEASE-p1 (amd64). In the logs it says the following.
      10/8/2018 -- 15:59:19 - <Notice> -- This is Suricata version 4.0.5 RELEASE
      10/8/2018 -- 15:59:19 - <Info> -- CPUs/cores online: 8
      10/8/2018 -- 15:59:19 - <Info> -- HTTP memcap: 67108864
      10/8/2018 -- 15:59:19 - <Notice> -- using flow hash instead of active packets
      10/8/2018 -- 15:59:19 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!

      I removed what it wanted me to remove but still will not run. Also, that file comes back after trying to run.

      Ideas?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Is there any sort of associated error message in the pfSense system log? That log message does not offer much to troubleshoot from.

        You could try running some basic stuff from the command line. Sometimes that will show up other problems. Try this from a command line prompt at the firewall -

        /usr/local/bin/suricata -V

        That should result in Suricata loading long enough to report the version information and then exiting normally. Post back if you get an error message from that shell prompt.

        1 Reply Last reply Reply Quote 0
        • Y
          yummy909
          last edited by

          Nothing under system logs. I see the log when I logged in but nothing after that. I did run that command is got the following back.

          This is Suricata version 4.0.5 RELEASE

          This also showed up in the system log after running that command.

          Aug 13 16:13:51 SuricataStartup 2366 Suricata START for WAN Firewall(7307_em0)...

          Try running Suricata again and got this from the Suricata log.

          10/8/2018 -- 15:32:26 - <Notice> -- This is Suricata version 4.0.5 RELEASE
          10/8/2018 -- 15:32:26 - <Info> -- CPUs/cores online: 8
          10/8/2018 -- 15:32:26 - <Info> -- HTTP memcap: 67108864
          10/8/2018 -- 15:32:26 - <Notice> -- using flow hash instead of active packets
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 184
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 208
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 233
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 278
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 355
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 356
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 364
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 419
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 422
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 581
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 582
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 613
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 618
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 740
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 741
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 900
          10/8/2018 -- 15:32:27 - <Info> -- 1 rule files processed. 1205 rules successfully loaded, 16 rules failed
          10/8/2018 -- 15:32:27 - <Info> -- Threshold config parsed: 0 rule(s) found
          10/8/2018 -- 15:32:27 - <Info> -- 1206 signatures processed. 0 are IP-only rules, 337 are inspecting packet payload, 676 inspect application layer, 103 are decoder event only
          10/8/2018 -- 15:32:28 - <Info> -- fast output device (regular) initialized: alerts.log
          10/8/2018 -- 15:32:28 - <Info> -- http-log output device (regular) initialized: http.log
          10/8/2018 -- 15:32:28 - <Info> -- stats output device (regular) initialized: stats.log
          10/8/2018 -- 15:32:28 - <Info> -- dns-log output device (regular) initialized: dns.log
          10/8/2018 -- 15:32:28 - <Info> -- dns-log output device (regular) initialized: dns.log
          10/8/2018 -- 15:32:28 - <Info> -- Using 1 live device(s).
          10/8/2018 -- 15:32:28 - <Info> -- using interface em0
          10/8/2018 -- 15:32:28 - <Info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
          10/8/2018 -- 15:32:28 - <Info> -- Set snaplen to 1518 for 'em0'
          10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
          10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
          10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
          10/8/2018 -- 15:32:28 - <Info> -- RunModeIdsPcapAutoFp initialised
          10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
          10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
          10/8/2018 -- 15:32:43 - <Notice> -- This is Suricata version 4.0.5 RELEASE
          10/8/2018 -- 15:32:43 - <Info> -- CPUs/cores online: 8
          10/8/2018 -- 15:32:43 - <Info> -- HTTP memcap: 67108864
          10/8/2018 -- 15:32:43 - <Notice> -- using flow hash instead of active packets
          10/8/2018 -- 15:32:43 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!
          10/8/2018 -- 15:32:50 - <Notice> -- This is Suricata version 4.0.5 RELEASE
          10/8/2018 -- 15:32:50 - <Info> -- CPUs/cores online: 8
          10/8/2018 -- 15:32:50 - <Info> -- HTTP memcap: 67108864
          10/8/2018 -- 15:32:50 - <Notice> -- using flow hash instead of active packets
          10/8/2018 -- 15:32:50 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!
          10/8/2018 -- 15:35:01 - <Notice> -- This is Suricata version 4.0.5 RELEASE
          10/8/2018 -- 15:35:01 - <Info> -- CPUs/cores online: 8
          10/8/2018 -- 15:35:01 - <Info> -- HTTP memcap: 67108864
          10/8/2018 -- 15:35:01 - <Notice> -- using flow hash instead of active packets
          10/8/2018 -- 15:35:01 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            This error message here is your problem --

            10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?

            Because you have an 8-core CPU you will need to greatly expand the TCP Stream Memory Cap. You will find the setting on the Flow/Stream tab for each configured Suricata interface. The package default is OK for quad-core processors, but 8-core processors will need to increase the value. Start by at least doubling the default and then work up from there until Suricata starts.

            Bill

            1 Reply Last reply Reply Quote 2
            • Y
              yummy909
              last edited by

              I update it to 3 GB and new showing this in the logs.

              14/8/2018 -- 10:31:05 - <Notice> -- This is Suricata version 4.0.5 RELEASE
              14/8/2018 -- 10:31:05 - <Info> -- CPUs/cores online: 8
              14/8/2018 -- 10:31:05 - <Info> -- HTTP memcap: 67108864
              14/8/2018 -- 10:31:05 - <Notice> -- using flow hash instead of active packets
              14/8/2018 -- 10:31:05 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!

              So I deleted the file and retried running Suricata. It worked! Thank you! I have a i7 4770S with 32 GB DDR3 1600 on this machine. Any benefit to increase the flow/stream memory cap more then 3 GB?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @yummy909
                last edited by bmeeks

                @yummy909 said in Suricata fail to start:

                I update it to 3 GB and new showing this in the logs.

                So I deleted the file and retried running Suricata. It worked! Thank you! I have a i7 4770S with 32 GB DDR3 1600 on this machine. Any benefit to increase the flow/stream memory cap more then 3 GB?

                Probably not. 3 GB should be sufficient. It really would depend on the amount of traffic. Really high traffic loads with lots of different connections might benefit from more, but I would run with the 3 GB value first and see how things look. There is a crude formula for calculating the initial TCP Stream Memory Cap value, but I don't recall it off the top of my head. There is an older thread here in the IDS/IPS sub-forum that has the formula. You can search for that thread or else run a Google query.

                Bill

                1 Reply Last reply Reply Quote 1
                • Y
                  yummy909
                  last edited by

                  Awesome! I will put it through some tests. I do notice I am getting a little over half of my gigabit speed with Suricata on. CPU usage only goes up to 7%. Any settings that could be turn on to use more of the CPU to speed up the speed?

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @yummy909
                    last edited by bmeeks

                    @yummy909 said in Suricata fail to start:

                    Awesome! I will put it through some tests. I do notice I am getting a little over half of my gigabit speed with Suricata on. CPU usage only goes up to 7%. Any settings that could be turn on to use more of the CPU to speed up the speed?

                    The number of enabled rules has a big impact on performance. There are a ton of tuning options for Suricata since it is multi-threaded. Google research would be called for ... ☺ . The package defaults are not necessarily optimal for all networks, so you can do a little research and experiment with some of the settings.

                    1 Reply Last reply Reply Quote 1
                    • Y
                      yummy909
                      last edited by

                      I gotcha. I will do some searching. Thank you for help getting over that hump. I didn't read that anywhere, where the core count causing that issue. Wonder what else that is effecting.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @yummy909
                        last edited by

                        @yummy909 said in Suricata fail to start:

                        I gotcha. I will do some searching. Thank you for help getting over that hump. I didn't read that anywhere, where the core count causing that issue. Wonder what else that is effecting.

                        The Suricata developers have worked on making that error message offer a better hint to the solution, but they still have a ways to go. There was some discussion about it on their bug site several months ago. This particular issue has bitten a handful of Suricata users on pfSense that have high core count CPUs.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.