Suricata 5.0.2 not starting on 2.4.5

mkcharlie

I was running Suricata 4 (don't remember the exact version number) on two interfaces on pfsense 2.4.4-p3. It worked fine.
I then upgraded to Suricata 5.0.2 and immediately upgraded PFSense to 2.4.5. I'm not sure if 5.0.2 ever worked.

Running ldd /usr/local/bin/suricata gives:

/usr/local/bin/suricata:
        libhtp.so.2 => /usr/local/lib/libhtp.so.2 (0x800cfe000)
        librt.so.1 => /usr/lib/librt.so.1 (0x800f27000)
        libm.so.5 => /lib/libm.so.5 (0x80112d000)
        liblz4.so.1 => /usr/local/lib/liblz4.so.1 (0x80135d000)
        libhiredis.so.0.13 => /usr/local/lib/libhiredis.so.0.13 (0x801590000)
        libmaxminddb.so.0 => /usr/local/lib/libmaxminddb.so.0 (0x80179e000)
        libluajit-5.1.so.2 => not found (0)
        libmagic.so.4 => /usr/lib/libmagic.so.4 (0x8019a3000)
        libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x801bc8000)
        libnet.so.1 => /usr/local/lib/libnet.so.1 (0x801ec3000)
        libjansson.so.4 => /usr/local/lib/libjansson.so.4 (0x8020db000)
        libthr.so.3 => /lib/libthr.so.3 (0x8022ea000)
        libyaml-0.so.2 => /usr/local/lib/libyaml-0.so.2 (0x802513000)
        libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x802731000)
        libhs.so.4 => /usr/local/lib/libhs.so.4 (0x802a00000)
        libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x80305c000)
        libnss3.so => /usr/local/lib/nss/libnss3.so (0x8032b8000)
        libsmime3.so => /usr/local/lib/nss/libsmime3.so (0x8035f9000)
        libssl3.so => /usr/local/lib/nss/libssl3.so (0x803825000)
        libnssutil3.so => /usr/local/lib/nss/libnssutil3.so (0x803a82000)
        libplds4.so => /usr/local/lib/libplds4.so (0x803cb3000)
        libplc4.so => /usr/local/lib/libplc4.so (0x803eb6000)
        libnspr4.so => /usr/local/lib/libnspr4.so (0x8040ba000)
        libdl.so.1 => /usr/lib/libdl.so.1 (0x8042fa000)
        libz.so.6 => /lib/libz.so.6 (0x8044fb000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x804714000)
        libc.so.7 => /lib/libc.so.7 (0x804924000)
        libc++.so.1 => /usr/lib/libc++.so.1 (0x804cc6000)
        libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x804f95000)
        libibverbs.so.1 => /lib/libibverbs.so.1 (0x8051b7000)

I seem to be missing libluajit-5.1.so.2. Any idea how I can correct that?

C

edit: my signature says I'm using Snort. I can't change it, but I'm not running Snort anymore :).
edit 2: tried reinstall, uninstall and install, problem seems to remain. suricata.log is empty

dotOne

I see the same problem: Shared object "libluajit-5.1.so.2" not found, required by "suricata"

mkcharlie

I see now that I should not have updated Suricate before updating to 2.4.5, it's stated pretty clearly in the docs. Somehow I thought that you should upgrade all packages before upgrading PFSense.

Anyway, uninstalling Suricata and reinstalling it did not solve the problem.

dotOne

I did not update suricata before upgrading to 2.4.5.
Did an uninstall/install but problem persists.

bmeeks

Are you running on a Netgate appliance? If so, which model?

Your local pkg repository database may be confused due to the way in which you upgraded packages first. Not sure how to tell you get out of that quandary. You could try removing Suricata again, then open a shell prompt on the firewall and execute this command:

pkg update -f

When that finishes, go back to the GUI and try installing Suricata again.

mkcharlie

I'm running on a PC Engines APU2
Thanks for the help, removed it, ran the pkg update -f command, and reinstalled it using the GUI. However the issue persist. Here's the install log:

>>> Installing pfSense-pkg-suricata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 17 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	pfSense-pkg-suricata: 5.0.2 [pfSense]
	suricata: 5.0.2_1 [pfSense]
	libyaml: 0.2.2 [pfSense]
	nss: 3.51 [pfSense]
	nspr: 4.25 [pfSense]
	cyrus-sasl: 2.1.27 [pfSense]
	libpcap: 1.9.1_1 [pfSense]
	libnet: 1.1.6_5,1 [pfSense]
	py37-yaml: 5.2 [pfSense]
	jansson: 2.12 [pfSense]
	hyperscan: 4.7.0_3 [pfSense]
	hiredis: 0.13.3 [pfSense]
	barnyard2: 1.13_5 [pfSense]
	broccoli: 1.101,1 [pfSense]
	python27: 2.7.17_1 [pfSense]
	mysql57-client: 5.7.29 [pfSense]
	protobuf: 3.9.2,1 [pfSense]

Number of packages to be installed: 17

The process will require 180 MiB more space.
23 MiB to be downloaded.
[1/17] Fetching pfSense-pkg-suricata-5.0.2.txz: .......... done
[2/17] Fetching suricata-5.0.2_1.txz: .......... done
[3/17] Fetching libyaml-0.2.2.txz: ......... done
[4/17] Fetching nss-3.51.txz: .......... done
[5/17] Fetching nspr-4.25.txz: .......... done
[6/17] Fetching cyrus-sasl-2.1.27.txz: .......... done
[7/17] Fetching libpcap-1.9.1_1.txz: .......... done
[8/17] Fetching libnet-1.1.6_5,1.txz: .......... done
[9/17] Fetching py37-yaml-5.2.txz: .......... done
[10/17] Fetching jansson-2.12.txz: ...... done
[11/17] Fetching hyperscan-4.7.0_3.txz: .......... done
[12/17] Fetching hiredis-0.13.3.txz: .......... done
[13/17] Fetching barnyard2-1.13_5.txz: .......... done
[14/17] Fetching broccoli-1.101,1.txz: .......... done
[15/17] Fetching python27-2.7.17_1.txz: .......... done
[16/17] Fetching mysql57-client-5.7.29.txz: .......... done
[17/17] Fetching protobuf-3.9.2,1.txz: .......... done
Checking integrity... done (0 conflicting)
[1/17] Installing nspr-4.25...
[1/17] Extracting nspr-4.25: .......... done
[2/17] Installing cyrus-sasl-2.1.27...
*** Updated user `cyrus'.
[2/17] Extracting cyrus-sasl-2.1.27: .......... done
[3/17] Installing python27-2.7.17_1...
[3/17] Extracting python27-2.7.17_1: .......... done
[4/17] Installing protobuf-3.9.2,1...
[4/17] Extracting protobuf-3.9.2,1: .......... done
[5/17] Installing libyaml-0.2.2...
[5/17] Extracting libyaml-0.2.2: ......... done
[6/17] Installing nss-3.51...
[6/17] Extracting nss-3.51: .......... done
[7/17] Installing libpcap-1.9.1_1...
[7/17] Extracting libpcap-1.9.1_1: .......... done
[8/17] Installing libnet-1.1.6_5,1...
[8/17] Extracting libnet-1.1.6_5,1: .......... done
[9/17] Installing py37-yaml-5.2...
[9/17] Extracting py37-yaml-5.2: .......... done
[10/17] Installing jansson-2.12...
[10/17] Extracting jansson-2.12: .......... done
[11/17] Installing hyperscan-4.7.0_3...
[11/17] Extracting hyperscan-4.7.0_3: .......... done
[12/17] Installing hiredis-0.13.3...
[12/17] Extracting hiredis-0.13.3: .......... done
[13/17] Installing broccoli-1.101,1...
[13/17] Extracting broccoli-1.101,1: .......... done
[14/17] Installing mysql57-client-5.7.29...
[14/17] Extracting mysql57-client-5.7.29: .......... done
[15/17] Installing suricata-5.0.2_1...
[15/17] Extracting suricata-5.0.2_1: .......... done
[16/17] Installing barnyard2-1.13_5...
[16/17] Extracting barnyard2-1.13_5: ...... done
[17/17] Installing pfSense-pkg-suricata-5.0.2...
[17/17] Extracting pfSense-pkg-suricata-5.0.2: .......... done
....Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Saved settings detected...
Migrating settings to new configuration... done.
Downloading Emerging Threats Open rules md5 file...Emerging Threats Open rules md5 error ... Server returned error code 404
Emerging Threats Open rules will not be updated.
Downloading Snort VRT rules md5 file... done.
There is a new set of Snort rules posted. Downloading... done.
Installing Snort rules... done.
Updating rules configuration for: WAN ... done.
Updating rules configuration for: WHOME ... done.
Updating rules configuration for: ELK ... done.
Cleaning up after rules extraction... done.
The Rules update has finished.
Generating suricata.yaml configuration file from saved settings.
Generating YAML configuration file for WAN... done.
Generating YAML configuration file for WHOME... done.
Generating YAML configuration file for ELK... done.
Finished rebuilding Suricata configuration from saved settings.
  Setting package version in configuration file.
done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.
=====
Message from cyrus-sasl-2.1.27:

--
You can use sasldb2 for authentication, to add users use:

	saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.
      If you want to use GSSAPI mechanism, install
      ports/security/cyrus-sasl2-gssapi.
      If you want to use SRP mechanism, install
      ports/security/cyrus-sasl2-srp.
      If you want to use LDAP auxprop plugin, install
      ports/security/cyrus-sasl2-ldapdb.
=====
Message from python27-2.7.17_1:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

bsddb           databases/py-bsddb
gdbm            databases/py-gdbm
sqlite3         databases/py-sqlite3
tkinter         x11-toolkits/py-tkinter
--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

EOLed upstream.

It is scheduled to be removed on or after 2020-12-31.
=====
Message from mysql57-client-5.7.29:

--
This is the mysql CLIENT without the server.
for complete server and client, please install databases/mysql57-server
=====
Message from suricata-5.0.2_1:

--
If you want to run Suricata in IDS mode, add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_interface="<if>"

NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.

However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_divertport="8000"

NOTE:
	Suricata won't start in IDS mode without an interface configured.
	Therefore if you omit suricata_interface from rc.conf, FreeBSD's
	rc.d/suricata will automatically try to start Suricata in IPS Mode
	(on divert port 8000, by default).

Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
netmap(4) mode, add to /etc/rc.conf:

	suricata_enable="YES"
	suricata_netmap="YES"

NOTE:
	Suricata requires additional interface settings in the configuration
	file to run in netmap(4) mode.

RULES: Suricata IDS/IPS Engine comes without rules by default. You should
add rules by yourself and set an updating strategy. To do so, please visit:

 http://www.openinfosecfoundation.org/documentation/rules.html
 http://www.openinfosecfoundation.org/documentation/emerging-threats.html

You may want to try BPF in zerocopy mode to test performance improvements:

	sysctl -w net.bpf.zerocopy_enable=1

Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
=====
Message from barnyard2-1.13_5:

--
Read the notes in the barnyard2.conf file for how to configure
/usr/local/etc/barnyard2.conf after installation.  For addtional information
see the Securixlive FAQ at http://www.securixlive.com/barnyard2/faq.php.

In order to enable barnyard2 to start on boot, you must edit /etc/rc.conf
with the appropriate flags, etc.  See the FreeBSD Handbook for syntax:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-rcng.html

For the various options available, type % barnyard2 -h after install or read
the options in the startup script - in /usr/local/etc/rc.d.

Barnyard2 can process unified2 files from snort or suricata.  It can also
interact with snortsam firewall rules as well as the sguil-sensor. Those
ports must be installed separately if you wish to use them.
>>> Cleaning up cache... done.
Success

bmeeks

I honesty don't know what could be going on at this point. For another user reporting a different issue this morning, I installed Suricata fresh on a 2.4.5 virtual machine and everything worked fine. And I know it is working for the vast majority of other pfSense users out there.

On pfSense, that particular library requirement is supposed to be satisfied by luajit-openresty. I don't see that package being downloaded and installed in your log.

bmeeks

Just for grins, try this command:

pkg install luajit-openresty-2.1.20190912_2

And then see if Suricata will start.

mkcharlie

I executed a forced pkg reinstall as explained here: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#forced-pkg-reinstall .

That seemed to have fixed it. It indeed installed the required package:

[120/199] Fetching luajit-openresty-2.1.20190912_2.txz: 100%  418 KiB 428.4kB/s    00:01

I did not attempt your suggestion to install the luajit package first since I already started the forced reinstall of all packages.

Thanks for the tips!

bmeeks

Great! pkg was probably confused and thought it had installed it when it actually had not. That's one of the weird things that can happen when the OS version and package version repos are out of sync. Forcing pkg to reinstall everything resets the board, so to speak.

dotOne

pkg install -f luajit-openresty-2.1.20190912_2

forced re-install of the package solved the issue. apparently the package was registered as installed while in reality it wasn't

[1/1] Reinstalling luajit-openresty-2.1.20190912_2...
[1/1] Extracting luajit-openresty-2.1.20190912_2: 100%
[2.4.5-RELEASE][root@firewall-2.dotOne.nl]/root: suricata -V
This is Suricata version 5.0.2 RELEASE