Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrated from igb to bge Suricata Won't Run (solved)

    Scheduled Pinned Locked Moved IDS/IPS
    20 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NollipfSenseN
      NollipfSense
      last edited by NollipfSense

      So, I moved from an HP Pavillion a6242n to a Mac Mini Server 2011 and when I restore from backup, Suricata installed but will not run. Any ideas what to look for? All prior setting had been exported so, it seems that it could be the network interface. I was surprised that pfSense selected the thunderbolt ethernet adapter for bge0.
      Screen Shot 2019-06-15 at 8.41.27 PM.png

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The bge network driver is not listed as supporting netmap operation. Netmap compatibility is required for inline IPS mode. That has been mentioned here over and over and over. You either need to install a netmap compatible network card or else switch to Legacy Mode blocking. That mode does not use netmap.

        These are the NIC driver families listed by FreeBSD as supporting netmap operation: em, igb, ixgb, ixl, lem, re or cxgbe.

        NollipfSenseN 1 Reply Last reply Reply Quote 1
        • NollipfSenseN
          NollipfSense
          last edited by

          Here are some data:

          Shell Output - ifconfig bge0

          bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
          options=c0098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
          ether a8:60:b6:23:11:34
          hwaddr a8:60:b6:23:11:34
          inet6 fe80::aa60:b6ff:fe23:1134%bge0 prefixlen 64 scopeid 0x1
          inet 68.226.181.34 netmask 0xfffffe00 broadcast 68.226.181.255
          nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
          media: Ethernet autoselect (1000baseT <full-duplex,master>)
          status: active

          Shell Output - cat /var/log/system.log | grep sig

          Jun 15 23:17:29 pfSense syslogd: exiting on signal 15
          Jun 15 23:25:02 pfSense syslogd: exiting on signal 15
          Jun 15 23:27:37 pfSense syslogd: exiting on signal 15
          Jun 15 23:48:10 pfSense syslogd: Logging subprocess 84491 (exec /usr/local/sbin/sshlockout_pf 15) exited due to signal 15.
          Jun 15 23:48:10 pfSense syslogd: exiting on signal 15
          Jun 15 23:50:10 pfSense syslogd: exiting on signal 15
          Jun 15 23:53:24 pfSense php-fpm[1248]: /interfaces_assign.php: Shutting down Router Advertisment daemon cleanly
          Jun 15 23:53:24 pfSense php-fpm[1248]: /interfaces_assign.php: Gateway, none 'available' for inet6, use the first one configured. ''
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/sbin/ifconfig 'igb1' -staticarp ' returned exit code '1', the output was 'ifconfig: interface igb1 does not exist'
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/usr/sbin/arp -d -i 'igb1' -a > /dev/null 2>&1 ' returned exit code '1', the output was ''
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.6-P1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 1 leases to leases file. No subnet declaration for igb1 (no IPv4 addresses). ** Ignoring requests on igb1. If this is not what you want, please write a subnet declaration in your dhcpd.conf file for the network segment to which interface igb1 is attached. ** Not configured to listen on any interfaces! If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before su
          Jun 15 23:53:33 pfSense php-fpm[1248]: /interfaces_assign.php: Gateway, none 'available' for inet6, use the first one configured. ''
          Jun 15 23:53:39 pfSense php-fpm[1248]: /interfaces_assign.php: Creating rrd update script
          Jun 15 23:53:40 pfSense php-fpm[56381]: /interfaces_assign.php: Stopping all packages.
          Jun 15 23:53:42 pfSense syslogd: exiting on signal 15
          Jun 15 18:55:07 nollipfSense syslogd: exiting on signal 15
          Jun 15 18:55:08 nollipfSense syslogd: Logging subprocess 17613 (exec /usr/local/sbin/sshguard) exited due to signal 15.

          Execute Shell Command

          Shell Output - cat /var/log/system.log | grep sig

          Jun 15 23:17:29 pfSense syslogd: exiting on signal 15
          Jun 15 23:25:02 pfSense syslogd: exiting on signal 15
          Jun 15 23:27:37 pfSense syslogd: exiting on signal 15
          Jun 15 23:48:10 pfSense syslogd: Logging subprocess 84491 (exec /usr/local/sbin/sshlockout_pf 15) exited due to signal 15.
          Jun 15 23:48:10 pfSense syslogd: exiting on signal 15
          Jun 15 23:50:10 pfSense syslogd: exiting on signal 15
          Jun 15 23:53:24 pfSense php-fpm[1248]: /interfaces_assign.php: Shutting down Router Advertisment daemon cleanly
          Jun 15 23:53:24 pfSense php-fpm[1248]: /interfaces_assign.php: Gateway, none 'available' for inet6, use the first one configured. ''
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/sbin/ifconfig 'igb1' -staticarp ' returned exit code '1', the output was 'ifconfig: interface igb1 does not exist'
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/usr/sbin/arp -d -i 'igb1' -a > /dev/null 2>&1 ' returned exit code '1', the output was ''
          Jun 15 23:53:27 pfSense php-fpm[1248]: /interfaces_assign.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.6-P1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 1 leases to leases file. No subnet declaration for igb1 (no IPv4 addresses). ** Ignoring requests on igb1. If this is not what you want, please write a subnet declaration in your dhcpd.conf file for the network segment to which interface igb1 is attached. ** Not configured to listen on any interfaces! If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before su
          Jun 15 23:53:33 pfSense php-fpm[1248]: /interfaces_assign.php: Gateway, none 'available' for inet6, use the first one configured. ''
          Jun 15 23:53:39 pfSense php-fpm[1248]: /interfaces_assign.php: Creating rrd update script
          Jun 15 23:53:40 pfSense php-fpm[56381]: /interfaces_assign.php: Stopping all packages.
          Jun 15 23:53:42 pfSense syslogd: exiting on signal 15
          Jun 15 18:55:07 nollipfSense syslogd: exiting on signal 15
          Jun 15 18:55:08 nollipfSense syslogd: Logging subprocess 17613 (exec /usr/local/sbin/sshguard) exited due to signal 15.

          Execute Shell Command

          Shell Output - sysctl -a | grep msi

          hw.ixl.enable_msix: 1
          hw.sdhci.enable_msi: 1
          hw.puc.msi_disable: 0
          hw.pci.honor_msi_blacklist: 1
          hw.pci.msix_rewrite_table: 0
          hw.pci.enable_msix: 1
          hw.pci.enable_msi: 1
          hw.mfi.msi: 1
          hw.malo.pci.msi_disable: 0
          hw.ix.enable_msix: 1
          hw.igb.enable_msix: 1
          hw.em.enable_msix: 1
          hw.cxgb.msi_allowed: 2
          hw.bce.msi_enable: 1
          hw.aac.enable_msi: 1
          machdep.disable_msix_migration: 0
          dev.bge.1.msi: 1
          dev.bge.0.msi: 1

          Shell Output - sysctl -a | grep netmap

          netmap: loaded module
          043.352356 [ 760] generic_netmap_dtor Restored native NA 0
          043.354388 [ 760] generic_netmap_dtor Restored native NA 0
          043.536234 [ 760] generic_netmap_dtor Restored native NA 0
          device netmap
          dev.netmap.ixl_rx_miss_bufs: 0
          dev.netmap.ixl_rx_miss: 0
          dev.netmap.iflib_rx_miss_bufs: 0
          dev.netmap.iflib_rx_miss: 0
          dev.netmap.iflib_crcstrip: 1
          dev.netmap.bridge_batch: 1024
          dev.netmap.default_pipes: 0
          dev.netmap.priv_buf_num: 4098
          dev.netmap.priv_buf_size: 2048
          dev.netmap.buf_curr_num: 163840
          dev.netmap.buf_num: 163840
          dev.netmap.buf_curr_size: 2048
          dev.netmap.buf_size: 2048
          dev.netmap.priv_ring_num: 4
          dev.netmap.priv_ring_size: 20480
          dev.netmap.ring_curr_num: 200
          dev.netmap.ring_num: 200
          dev.netmap.ring_curr_size: 36864
          dev.netmap.ring_size: 36864
          dev.netmap.priv_if_num: 1
          dev.netmap.priv_if_size: 1024
          dev.netmap.if_curr_num: 100
          dev.netmap.if_num: 100
          dev.netmap.if_curr_size: 1024
          dev.netmap.if_size: 1024
          dev.netmap.generic_rings: 1
          dev.netmap.generic_ringsize: 1024
          dev.netmap.generic_mit: 100000
          dev.netmap.admode: 0
          dev.netmap.fwd: 0
          dev.netmap.flags: 0
          dev.netmap.adaptive_io: 0
          dev.netmap.txsync_retry: 2
          dev.netmap.no_pendintr: 1
          dev.netmap.mitigate: 1
          dev.netmap.no_timestamp: 0
          dev.netmap.verbose: 0
          dev.netmap.ix_rx_miss_bufs: 0
          dev.netmap.ix_rx_miss: 0
          dev.netmap.ix_crcstrip: 0

          Shell Output - sysctl -a | grep bge0

          <5>bge0: link state changed to DOWN
          <5>bge0: link state changed to UP
          bge0: <Thunderbolt Ethernet, ASIC rev. 0x57766000> mem 0xa4f00000-0xa4f0ffff,0xa4f10000-0xa4f1ffff at device 0.0 on pci7
          bge0: CHIP ID 0x57766000; ASIC REV 0x57766; CHIP REV 0x577660; PCI-E
          miibus0: <MII bus> on bge0
          bge0: Using defaults for TSO: 65518/35/2048
          bge0: Ethernet address: a8:60:b6:23:11:34
          <5>bge0: link state changed to DOWN
          <5>bge0: link state changed to UP
          <6>bge0: promiscuous mode enabled
          dev.miibus.0.%parent: bge0

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bmeeks
            last edited by NollipfSense

            @bmeeks said in Migrated from igb to bge Suricata Won't Run:

            The bge network driver is not listed as supporting netmap operation. Netmap compatibility is required for inline IPS mode. That has been mentioned here over and over and over. You either need to install a netmap compatible network card or else switch to Legacy Mode blocking. That mode does not use netmap.

            These are the NIC driver families listed by FreeBSD as supporting netmap operation: em, igb, ixgb, ixl, lem, re or cxgbe.

            I didn't see your post until posted the above. That's a bummer; however, could you have a look at the above data just scan see if anything out of norm?

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              I see several error messages related to your old igb1 NIC interface. They should not be happening if your config.xml was correctly migrated over to the new hardware. Unless you actually have an igb NIC in the box, too. Looks like maybe the DHCP client is still trying to find and use an igb1 interface, but it does not exist in the new box.

              NollipfSenseN 1 Reply Last reply Reply Quote 1
              • NollipfSenseN
                NollipfSense @bmeeks
                last edited by NollipfSense

                @bmeeks said in Migrated from igb to bge Suricata Won't Run:

                I see several error messages related to your old igb1 NIC interface. They should not be happening if your config.xml was correctly migrated over to the new hardware. Unless you actually have an igb NIC in the box, too. Looks like maybe the DHCP client is still trying to find and use an igb1 interface, but it does not exist in the new box.

                Thank you Bmeeks...I will need some fine tuning as Suricata is not running in Legacy mode either. I will be busy from now until the coming weekend and most likely won't follow up till late at nights.

                The Mac Mini Server 2011 definitely has WAN on thunderbolt to an ethernet adapter...no igb interface.

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                1 Reply Last reply Reply Quote 0
                • NollipfSenseN
                  NollipfSense
                  last edited by NollipfSense

                  (dev.bge0.0.fc) >This was showing igb in System Tunables; but even after changing that and rebooting, Suricate doesn't show running on interface tab...see below! Looking at the system log shows Suricata started, it seems!
                  Screen Shot 2019-06-15 at 8.41.27 PM.png

                  Last 50 General Log Entries. (Maximum 50)
                  Jun 16 21:53:01 kernel bge1: link state changed to UP
                  Jun 16 21:53:02 kernel done.
                  Jun 16 21:53:02 kernel done.
                  Jun 16 21:53:02 check_reload_status Updating all dyndns
                  Jun 16 21:53:02 php-cgi rc.bootup: [squid] Installed but disabled. Not installing 'nat' rules.
                  Jun 16 21:53:02 php-cgi rc.bootup: [squid] Installed but disabled. Not installing 'pfearly' rules.
                  Jun 16 21:53:02 kernel .
                  Jun 16 21:53:02 php-cgi rc.bootup: [squid] Installed but disabled. Not installing 'filter' rules.
                  Jun 16 21:53:02 kernel ..
                  Jun 16 21:53:02 kernel .done.
                  Jun 16 21:53:06 php-cgi rc.bootup: Creating rrd update script
                  Jun 16 21:53:07 kernel done.
                  Jun 16 21:53:07 syslogd exiting on signal 15
                  Jun 16 21:53:07 syslogd kernel boot file is /boot/kernel/kernel
                  Jun 16 21:53:07 kernel done.
                  Jun 16 21:53:07 php-fpm 356 /rc.start_packages: Restarting/Starting all packages.
                  Jun 16 21:53:07 php-fpm 356 [pfBlockerNG] Starting firewall filter daemon
                  Jun 16 21:53:07 SuricataStartup 33537 Suricata START for WAN(32760_bge0)...
                  Jun 16 21:53:07 php [pfBlockerNG] DNSBL parser daemon started
                  Jun 16 21:53:07 php_pfb [pfBlockerNG] filterlog daemon started
                  Jun 16 21:53:07 SnortStartup 38614 Snort START for WAN(23083_bge0)...
                  Jun 16 21:53:07 php-fpm 356 /rc.start_packages: [squid] - squid_resync function call pr: bp: rpc:no
                  Jun 16 21:53:08 SnortStartup 45918 Snort START for LAN(37578_bge1)...
                  Jun 16 21:53:08 kernel bge0: promiscuous mode enabled
                  Jun 16 21:53:08 kernel bge1: promiscuous mode enabled
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] Removing cronjobs ...
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] 'Local Cache' not configured, disk cache will be disabled.
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] Please, configure and save 'Local Cache' settings before enabling Squid proxy.
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] Antivirus features disabled.
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] Removing freshclam cronjob.
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] 'Local Cache' not configured, disk cache will be disabled.
                  Jun 16 21:53:08 php-fpm 356 /rc.start_packages: [squid] Please, configure and save 'Local Cache' settings before enabling Squid proxy.
                  Jun 16 21:53:09 check_reload_status Reloading filter
                  Jun 16 21:53:09 Squid_Alarm 53685 Squid is disabled, exiting.
                  Jun 16 21:53:09 php [pfBlockerNG] DNSBL parser daemon started
                  Jun 16 21:53:09 php_pfb [pfBlockerNG] filterlog daemon started
                  Jun 16 21:53:10 php-fpm 357 /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'nat' rules.
                  Jun 16 21:53:10 php-fpm 357 /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'pfearly' rules.
                  Jun 16 21:53:10 php-fpm 357 /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'filter' rules.
                  Jun 16 21:53:10 login login on ttyv0 as root
                  Jun 16 21:53:25 php-fpm 356 /index.php: Successful login for user 'admin' from: 192.168.1.102 (Local Database)
                  Jun 16 21:54:02 check_reload_status Syncing firewall

                  Suricata is not running:
                  Screen Shot 2019-06-16 at 10.39.04 PM.png

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  1 Reply Last reply Reply Quote 0
                  • NollipfSenseN
                    NollipfSense
                    last edited by

                    Package installer said Suricata is installed however, there is no yaml...how could that be? Is there anything I can do at the command prompt?

                    Shell Output - /etc/suricata/suricata.yaml
                    sh: /etc/suricata/suricata.yaml: not found

                    pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                    pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @NollipfSense:

                      Your firewall is a complete mess! Look at the log file you posted. Did you actually read what it says?

                      Look at these two lines:

                      Jun 16 21:53:07	SuricataStartup	33537	Suricata START for WAN(32760_bge0)...
                      Jun 16 21:53:07	SnortStartup	38614	Snort START for WAN(23083_bge0)...
                      

                      You can't, and shouldn't, run both Snort and Suricata on the same interface. In fact, you should never run both packages on the same firewall- ever! They will conflict with each other, particularly over the use of the snort2c table..

                      It also appears your migration of the config.xml file to new hardware did not go well. The fact you still had references to the igb interfaces is evidence of that. My suggestion is that you just wipe this configuration out entirely and start over from scratch on this new hardware. Do not try to migrate the configuration from your old hardware over to this new box.

                      NollipfSenseN 1 Reply Last reply Reply Quote 1
                      • bmeeksB
                        bmeeks @NollipfSense
                        last edited by

                        @NollipfSense said in Migrated from igb to bge Suricata Won't Run:

                        Package installer said Suricata is installed however, there is no yaml...how could that be? Is there anything I can do at the command prompt?

                        Shell Output - /etc/suricata/suricata.yaml
                        sh: /etc/suricata/suricata.yaml: not found

                        You are looking in the wrong directory. That is not where the configuration of local packages exists on FreeBSD installs such as pfSense. The correct directory is /usr/local/etc, but even then that is not the entire path for Suricata or Snort. The interface configurations live in sub-directories underneath /usr/local/etc/suricata or /usr/local/etc/snort.

                        1 Reply Last reply Reply Quote 1
                        • NollipfSenseN
                          NollipfSense @bmeeks
                          last edited by NollipfSense

                          @bmeeks said in Migrated from igb to bge Suricata Won't Run:

                          @NollipfSense:

                          Your firewall is a complete mess! Look at the log file you posted. Did you actually read what it says?

                          Look at these two lines:

                          Jun 16 21:53:07	SuricataStartup	33537	Suricata START for WAN(32760_bge0)...
                          Jun 16 21:53:07	SnortStartup	38614	Snort START for WAN(23083_bge0)...
                          

                          You can't, and shouldn't, run both Snort and Suricata on the same interface. In fact, you should never run both packages on the same firewall- ever! They will conflict with each other, particularly over the use of the snort2c table..

                          It also appears your migration of the config.xml file to new hardware did not go well. The fact you still had references to the igb interfaces is evidence of that. My suggestion is that you just wipe this configuration out entirely and start over from scratch on this new hardware. Do not try to migrate the configuration from your old hardware over to this new box.

                          Okay Bmeeks; however, only Suricata is in inline mode with blocking enabled...Snort is running in alert only with no blocking. Had that setup running for almost a year and a half with no problem on the HP box.
                          You are correct Bmeeks and I'll start over from scratch next weekend.
                          Screen Shot 2019-06-17 at 11.25.45 AM.png

                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @NollipfSense
                            last edited by bmeeks

                            @NollipfSense said in Migrated from igb to bge Suricata Won't Run:

                            @bmeeks said in Migrated from igb to bge Suricata Won't Run:

                            @NollipfSense:

                            Your firewall is a complete mess! Look at the log file you posted. Did you actually read what it says?

                            Look at these two lines:

                            Jun 16 21:53:07	SuricataStartup	33537	Suricata START for WAN(32760_bge0)...
                            Jun 16 21:53:07	SnortStartup	38614	Snort START for WAN(23083_bge0)...
                            

                            You can't, and shouldn't, run both Snort and Suricata on the same interface. In fact, you should never run both packages on the same firewall- ever! They will conflict with each other, particularly over the use of the snort2c table..

                            It also appears your migration of the config.xml file to new hardware did not go well. The fact you still had references to the igb interfaces is evidence of that. My suggestion is that you just wipe this configuration out entirely and start over from scratch on this new hardware. Do not try to migrate the configuration from your old hardware over to this new box.

                            Okay Bmeeks; however, only Suricata is in inline mode with blocking enabled...Snort is running in alert only with no blocking. Had that setup running for almost a year and a half with no problem on the HP box.
                            You are correct Bmeeks and I'll start over from scratch next weekend.
                            Screen Shot 2019-06-17 at 11.25.45 AM.png

                            Having both of those running on the same firewall makes absolutely no sense. They use essentially the same rule signatures. That's almost like running two copies of the same anti-virus program on a PC. What is one going to detect that the other doesn't? Pick one or the other IDS/IPS solution (Suricata or Snort) and use just that one. Don't try to use both on the same box, much less on the same interface.

                            NollipfSenseN 1 Reply Last reply Reply Quote 1
                            • NollipfSenseN
                              NollipfSense @bmeeks
                              last edited by NollipfSense

                              @bmeeks Bill, I had to post this example although it's not related to pfSense...you might know of it and it's from Github: https://github.com/security-onion-solutions/security-onion
                              Security Onion

                              "Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

                              For more information about Security Onion, please see our main website, blog, and docs".

                              They have both Suricata, and Snort on the same OS/box...I am not the only one with that crazy idea. For me, Suricata works WAN and Snort on LAN...I get your point though on potential conflict.

                              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks @NollipfSense
                                last edited by bmeeks

                                @NollipfSense said in Migrated from igb to bge Suricata Won't Run:

                                @bmeeks Bill, I had to post this example although it's not related to pfSense...you might know of it and it's from Github: https://github.com/security-onion-solutions/security-onion
                                Security Onion

                                "Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

                                For more information about Security Onion, please see our main website, blog, and docs".

                                They have both Suricata, and Snort on the same OS/box...I am not the only one with that crazy idea. For me, Suricata works WAN and Snort on LAN...I get your point though on potential conflict.

                                I still see no point really in running both on the same box, but so long as they are on totally separate interfaces it will work (well, so long as one is using Inline IPS Mode and the other is using Legacy Mode or IDS mode only; otherwise they can conflict with the single snort2c table in pf). In your case, I saw in the system log snippet you posted that both Suricata and Snort were attempting to start on the same interface (bge0, if I recall correctly). That won't work well at all! One is trying to configure the interface for netmap mode and other is trying to configure it for PCAP mode. Not going to work correctly.

                                NollipfSenseN 1 Reply Last reply Reply Quote 1
                                • NollipfSenseN
                                  NollipfSense @bmeeks
                                  last edited by

                                  @bmeeks You did recalled correctly...may be it worked with the Intel card with no problem. However, the bge is a different animal and I should have anticipated problems...of course, my head was all about the cute and very small form factor...only the weekend will tell after taking your advice...will inform you then.

                                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by bmeeks

                                    I never recommend running both on the same interface, but the only way it can work (well) is if only one application is running with blocking mode enabled. So you could run Suricata in just IDS mode (Block Offenders NOT checked) and Snort in blocking mode with Block Offenders checked; or the other way around. You should never run with both in blocking mode on the same interface.

                                    And my other caution about both running on the same box in blocking mode, even on different interfaces, is valid because they will conflict with each other over use of the snort2c table. There is only a single snort2c table for the entire firewall.

                                    1 Reply Last reply Reply Quote 1
                                    • NollipfSenseN
                                      NollipfSense
                                      last edited by NollipfSense

                                      Okay Bill, I did the fresh install and Suricata will not run or not showing that its running on the interface tab. Suricata WAN log shows: 7/7/2019 -- 00:42:47 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_bge023163.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_bge023163.pid. Aborting!

                                      I went to edit file under Diagnostic and load /var/run
                                      Screen Shot 2019-07-07 at 6.38.44 AM.png

                                      However, I cannot figure out how to delete it...can you help? Here's system log and noticed there is some time issue:
                                      Jul 7 04:12:41 check_reload_status Syncing firewall
                                      Jul 7 04:12:41 check_reload_status Syncing firewall
                                      Jul 7 04:13:30 check_reload_status Syncing firewall
                                      Jul 7 04:13:59 check_reload_status Syncing firewall
                                      Jul 7 04:14:07 check_reload_status Syncing firewall
                                      Jul 7 04:21:55 check_reload_status Syncing firewall
                                      Jul 7 04:22:13 check_reload_status Syncing firewall
                                      Jul 7 04:32:46 check_reload_status Syncing firewall
                                      Jul 7 04:34:20 check_reload_status Syncing firewall
                                      Jul 7 04:34:27 php-fpm 366 Starting Suricata on WAN(bge0) per user request...
                                      Jul 6 23:34:27 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 6 23:34:27 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 6 23:34:27 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 04:34:32 php-fpm 365 Starting Suricata on WAN(bge0) per user request...
                                      Jul 6 23:34:32 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 6 23:34:33 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 6 23:34:33 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 04:34:36 php-fpm 365 Starting Suricata on WAN(bge0) per user request...
                                      Jul 6 23:34:36 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 6 23:34:37 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 6 23:34:37 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 04:51:23 check_reload_status Syncing firewall
                                      Jul 7 05:04:39 check_reload_status Syncing firewall
                                      Jul 7 05:04:50 php-fpm 81239 Starting Suricata on WAN(bge0) per user request...
                                      Jul 7 00:04:50 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 7 00:04:51 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 7 00:04:51 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 05:05:49 check_reload_status Syncing firewall
                                      Jul 7 05:05:54 php-fpm 366 Starting Suricata on WAN(bge0) per user request...
                                      Jul 7 00:05:55 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 7 00:05:55 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 7 00:05:55 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 05:07:01 check_reload_status Syncing firewall
                                      Jul 7 05:42:24 check_reload_status Syncing firewall
                                      Jul 7 05:42:46 php-fpm 56294 Starting Suricata on WAN(bge0) per user request...
                                      Jul 7 00:42:46 php [Suricata] Updating rules configuration for: WAN ...
                                      Jul 7 00:42:47 php [Suricata] Building new sid-msg.map file for WAN...
                                      Jul 7 00:42:47 php [Suricata] Suricata START for WAN(bge0)...
                                      Jul 7 05:46:46 check_reload_status Syncing firewall
                                      Jul 7 05:46:46 syslogd exiting on signal 15
                                      Jul 7 00:46:46 syslogd kernel boot file is /boot/kernel/kernel
                                      Jul 7 00:46:46 nollipfsense.localdomain nginx: 2019/07/07 00:46:46 [error] 50081#100505: send() failed (54: Connection reset by peer)
                                      Jul 7 01:00:00 php-cgi [Suricata] Checking for updated MaxMind GeoLite2 IP database file...
                                      Jul 7 01:00:00 php-cgi [Suricata] GeoLite2-Country IP database is up-to-date.
                                      Jul 7 01:00:00 php-cgi [Suricata] GeoLite2-Country database update check finished.
                                      Jul 7 02:36:49 nollipfsense.localdomain nginx: 2019/07/07 02:36:49 [error] 50154#100632: send() failed (54: Connection reset by peer)
                                      Jul 7 10:39:46 check_reload_status Syncing firewall
                                      Jul 7 10:39:46 php-fpm 365 [Suricata] Updating rules configuration for: WAN ...
                                      Jul 7 10:39:47 php-fpm 365 [Suricata] Enabling any flowbit-required rules for: WAN...
                                      Jul 7 10:39:47 php-fpm 365 [Suricata] Building new sid-msg.map file for WAN...

                                      I have been reading your reply here: https://forum.netgate.com/topic/131716/still-seeing-suricata-stop-an-interface-due-to-pid-error/35

                                      Also this and I wondered why permission denied:
                                      Shell Output - /var/log/suricata
                                      sh: /var/log/suricata: Permission denied

                                      BTW, I had increased Stream memory Cap to 512MB for my 8 CPU/Core with no luck.

                                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        Do you actually have 2 instances of Suricata running on both your LAN and WAN interfaces?

                                        You also seem to have the same UUID on both bge0 and bge1. That is not possible within the GUI. Did you manually edit something in the config.xml file? If so, the configuration is not correct. You should never have the same UUID on any interface. You have 23163 on both bge0 and bge1. While that is not directly the cause of your PID file problem, it does clearly indicate to me that your Suricata configuration is totally hosed up on that box. Is this still that Mac server you were trying to use earlier?

                                        NollipfSenseN 1 Reply Last reply Reply Quote 0
                                        • NollipfSenseN
                                          NollipfSense @bmeeks
                                          last edited by NollipfSense

                                          @bmeeks said in Migrated from igb to bge Suricata Won't Run:

                                          Do you actually have 2 instances of Suricata running on both your LAN and WAN interfaces?

                                          You also seem to have the same UUID on both bge0 and bge1. That is not possible within the GUI. Did you manually edit something in the config.xml file? If so, the configuration is not correct. You should never have the same UUID on any interface. You have 23163 on both bge0 and bge1. While that is not directly the cause of your PID file problem, it does clearly indicate to me that your Suricata configuration is totally hosed up on that box. Is this still that Mac server you were trying to use earlier?

                                          Yes Bill, it is the same Mac server and no, I didn't edit config.xml. When I first configured Suricata on WAN to see whether it would run without enabling any blocking and it did not. So, I implement LAN to see whether it would run and that didn't either. May be I should have rebooted the machine.

                                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                          1 Reply Last reply Reply Quote 0
                                          • NollipfSenseN
                                            NollipfSense
                                            last edited by NollipfSense

                                            Bill, I just rebooted and Suricata is now running! ☺

                                            Screen Shot 2019-07-07 at 1.38.08 PM.png

                                            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.