Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not starting and blank log

    IDS/IPS
    4
    22
    3.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • kesawiK
      kesawi @bmeeks
      last edited by

      @bmeeks thanks for your help.

      I have a number of VLANs running for my internal networks on lagg0. Is it possible for me to assign Suricata to the lagg0 interface in promiscuous mode and monitor the VLANs rather than creating separate interfaces in Suricata for each VLAN? I haven't assigned lagg0 to an interface under the Interfaces\Interface Assignments menu which is why I suspect it isn't appearing in the Suricata GUI.

      Do I need to assign lagg0 to an interface? If I do, can I leave the IPv4 and IPv6 configuration as none? What value would I need to increase Interface PCAP Snaplen to in Suricata?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Monitoring VLANs via the parent interface is really the preferred method when it works for your setup. This kind of setup would not work, though, if you wanted different rules for the various VLANs.

        You can create a Suricata interface on any enabled interface you have in pfSense. I'm not so sure that using lagg0 is going to work out well, though. But you can certainly try. That is a special kind of interface and not really the same as saying using a physical NIC.

        The Snaplen should always match your Ethernet frame plus VLAN tags. The default value is usually sufficient to capture both of those, but you can increase it if you want to experiment.

        kesawiK 1 Reply Last reply Reply Quote 0
        • kesawiK
          kesawi @bmeeks
          last edited by kesawi

          Will it place an increased load on the CPU if I monitor each VLAN interface separately rather than from the parent interface? I assume that as each interface will require a separate instance of suricate so there may be some additional overhead but the traffic volume would be the same in each case? I assume the RAM usage would increase as each instance will require its own memcap limits?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @kesawi
            last edited by bmeeks

            @kesawi said in Suricata not starting and blank log:

            Will it place an increased load on the CPU if I monitor each VLAN interface separately rather than from the parent interface? I assume that as each interface will require a separate instance of suricate so there may be some additional overhead but the traffic volume would be the same in each case? I assume the RAM usage would increase as each instance will require its own memcap limits?

            Of course. Each active Suricata instance requires CPU cycles to execute. So more CPU utilization and obviously more RAM consumed with multiple Suricata instances. Your OS will spend time and energy allocating time slices to the various running Suricata binaries, so lots of context switching will be happening as well.

            1 Reply Last reply Reply Quote 0
            • C
              crugeman
              last edited by

              Evening, I am having similar issues with not starting and an empty log. When I run the
              /usr/local/bin/suricata -v command I get:

              Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"

              How do I go about installing the package or source it? I can't find it in the package manager.

              kesawiK bmeeksB 2 Replies Last reply Reply Quote 0
              • kesawiK
                kesawi @crugeman
                last edited by

                @crugeman I initially had the same issue. I resolved this by completely uninstalling suricata, upgrading pfSense from the previous version 2.4.4-RELEASE-p3 I was running to the latest 2.4.5-RELEASE which contains the library, and then installing suricata.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @crugeman
                  last edited by bmeeks

                  @crugeman said in Suricata not starting and blank log:

                  Evening, I am having similar issues with not starting and an empty log. When I run the
                  /usr/local/bin/suricata -v command I get:

                  Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"

                  How do I go about installing the package or source it? I can't find it in the package manager.

                  What version of pfSense are running and on what kind of hardware? Is it a Netgate appliance, and if so, which one?

                  If you are on pfSense-2.4.4_p3 and tried to upgrade Suricata, you are hosed until you upgrade your firewall to pfSense-2.4.5. There are several warnings in the pfSense upgrade docs about updating pfSense BEFORE you update packages whenever a new pfSense version is available. That's because new pfSense versions frequently come with FreeBSD ports trees (where packages come from) that are based on newer libraries. That's the case here. The "current packages" repo has been recompiled for use on pfSense-2.4.5 which is based on FreeBSD 11.3/STABLE.

                  If you absolutely can't upgrade your firewall to 2.4.5, then go read through this thread and follow the information there at your own risk: https://forum.netgate.com/topic/151709/2-4-5-update-caution/43.

                  kesawiK 1 Reply Last reply Reply Quote 1
                  • kesawiK
                    kesawi @bmeeks
                    last edited by kesawi

                    @bmeeks said in Suricata not starting and blank log:

                    If you are on pfSense-2.4.4_p3 and tried to upgrade Suricata, you are hosed until you upgrade your firewall to pfSense-2.4.5.

                    If suricata is being installed for the first time, rather than an upgrade, then it still downloads the current version which is incompatible with releases prior to 2.4.5. There should be a warning in the description in package manager.

                    bmeeksB 1 Reply Last reply Reply Quote 1
                    • bmeeksB
                      bmeeks @kesawi
                      last edited by bmeeks

                      @kesawi said in Suricata not starting and blank log:

                      @bmeeks said in Suricata not starting and blank log:

                      If you are on pfSense-2.4.4_p3 and tried to upgrade Suricata, you are hosed until you upgrade your firewall to pfSense-2.4.5.

                      If suricata is being installed for the first time, rather than an upgrade, then it still downloads the current version which is incompatible with releases prior to 2.4.5. The should be a warning in the description in package manager.

                      Unfortunately the pkg utility in FreeBSD does not work that way so far as I know. The same kind of issue exists in Linux where if you specify the wrong package repo version you can break software.

                      The pkg configuration files in pfSense maintain two different repo pointers. One points to where to fetch the base OS files, while the other points to where to fetch packages. It's that second one that is pointing to the pfSense-2.4.5 files, I believe. But I don't profess to be a pkg expert.

                      1 Reply Last reply Reply Quote 0
                      • C
                        crugeman
                        last edited by

                        Thanks for the quick response. I'm on pfSense-2.4.4_p3 right now. Will update tomorrow and report back.

                        1 Reply Last reply Reply Quote 0
                        • C
                          crugeman
                          last edited by

                          Thanks @bmeeks and @kesawi for your help! Upgrade complete, installed Suricata and everything up and running.

                          Now on to the tunning! :)

                          1 Reply Last reply Reply Quote 1
                          • C
                            cromulon
                            last edited by cromulon

                            I'm having a similar issue, however, not the same symptoms as @crugeman. when I run the /usr/local/etc/rc.d/suricata onestart command I get this output:

                            Starting suricata.
Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"
/usr/local/etc/rc.d/suricata: WARNING: failed to start suricata

                            I see the error, but I'm not sure how to fix it on pfsense. I'm running 2.4.4_p3. suricata installed is 5.0.2

                            EDIT:

                            After reading the entire thread I think I understand the problem in my case.

                            I upgraded pfsense to 2.4.5, prior to that I made a backup. Upgrade was smooth. I noticed though afterwards I was getting a lot of issues with the NIC and/or System with large file transfers (downloading from web, or uploading to server across the LAN). On console, i noticed repeatedly seeing re0: watchdog timeout. I know this is because realtek nics suck. However, I didn't have as much as a problem on 2.4.4_p3. My decision was to roll back. Made another backup (this is froma 2.4.5 machine after all packages had been installed).

                            Fast forward to installation of 2.4.4_p3 and restoring. everything downloads, and mostly everything starts fine. However, Suricata doesn't start.

                            It wasn't until this thread and another did I realize, that suricata 5.0.2 should not be run on 2.4.4_p3 due to library dependencies. I take it, that I must upgrade to 2.4.5, then get a not so crappy nic. If I'm wrong please guide me to the light.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @cromulon
                              last edited by bmeeks

                              @cromulon:
                              Yes, you can only run the new Suricata package on pfSense-2.4.5 due to changes in some supporting libraries. Right now you have a highly confused pfSense pkg configuration because it has a 2.4.4_p3 base OS but some incorrect libraries downloaded and installed because of the Suricata package that is compiled for pfSense-2.4.5 only.

                              If you check the Hardware subform here on the Netgate forums you will find a link for downloading and installing a Realtek binary driver that fixes the watchdog timer issue. Or even better, install an Intel NIC and forget the crappy Realtek.

                              C 1 Reply Last reply Reply Quote 0
                              • C
                                cromulon @bmeeks
                                last edited by

                                @bmeeks

                                I'm not even going to waste my time on realtek, tomorrow I'm ordering the intel PRO/1000 PT 4-port. Think that's a mighty fine investment.

                                Also, I just upgraded back to 2.4.5 and the suricata package is back to running. I'm glad I at least reported my problem, and mentioned where I found answers. Often times when looking around the web for issues similar to mine I see the thread die with "nevermind I found a fix". Also, thanks for the quick response, @bmeeks

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.