Suricata 4.1.5_1 on pfsense 2.5.0-DEVELOPMENT (amd64) can't start

kiokoman

i'm currently using it on my 2.5 without any problem, do you have anything on the log?
Status / System Logs / System General
you should disable Barnyard2, it's old, unsupported and it will be removed, it could be the cause of your problem.
delete the interfaces, reboot and recreate it without barnyard2

war

@kiokoman

Thanks for your reply. I already removed banyard2. Still suricata can't start.

war

I have experience this bug.

kiokoman

uhm idk maybe try to uninstall and reinstall suricata, remember to remove this option before uninstalling

or maybe @bmeeks can help you about this

bmeeks

@war said in Suricata 4.1.5_1 on pfsense 2.5.0-DEVELOPMENT (amd64) can't start:

I have experience this bug.

That PHP crash report is very confusing. When I look in that GUI package source code file, there is no such line using the explode() function at that line number. The function is actually called a few lines above. Nevertheless, I don't think that will cause Suricata not to start. That is just a warning message from the PHP compiler. I will address that issue in the next GUI package update.

To see why Suricata is not starting, you need to look in the suricata.log file for the interface. Go to the LOGS VIEW tab and select a Suricata interface in the drop-down. Then choose suricata.log in the drop-down log file chooser. Read through that log and see what Suricata complains about. It should list any errors preventing startup in there.

war

Hi guys,

This is the output of my suricata logs.

kiokoman

from console delete that file

rm /var/run/pid/suricata*

try to start it again

bmeeks

Do what @kiokoman said and that should let Suricata start.

That error message indicates the running Suricata process crashed and did not have a chance to clean up after itself.

war

Hi guys,

I already deleted /var/run/suricata*, there is no /var/run/pid/suricata*. error is still the same.

kiokoman

nope, not the same, the error is now different,
now.. i see you have 16 cores
increase the Stream Memcap value on the FLOW/STREAM tab (inside interface) to at least 256 MB and try to start again, increse that value until it run. remove the pid again if necessary

bmeeks

@kiokoman is right again. High core-count CPUs will need way more TCP stream memory than the default.

war

Thanks guys its now working.