Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata wont Start after updating pfSense to 2.4.5-RELEASE

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 4 Posters 981 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      I suspected a failure on a dependent library. That means your upgrade went south OR you updated Suricata BEFORE you did pfSense. If you did that, do not ever do that again. Always update pfSense FIRST when both a pfSense upgrade AND package updates are both showing.

      The pkg system on your firewall is confused. That library dependency is fulfilled by the openresty library on pfSense.

      You can try two steps to fix this. The first one is less invasive, but not as thorough of a fix. The second is better than a complete reinstall of pfSense-2.4.5, but still not 100% guaranteed to work.

      Least Invasive Step

      From a shell prompt type:

      pkg install luajit-openresty
      

      More Thorough Step

      Follow the instructions found here: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#forced-pkg-reinstall.

      1 Reply Last reply Reply Quote 0
      • S
        skylinetech
        last edited by

        bmeeks, thank you so much. I had to do the "more thorough step". But it works!!

        Thank you again!!

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @skylinetech
          last edited by

          @skylinetech said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

          bmeeks, thank you so much. I had to do the "more thorough step". But it works!!

          Thank you again!!

          You're welcome!

          1 Reply Last reply Reply Quote 0
          • S
            Stewart
            last edited by

            @bmeeks said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

            pkg install luajit-openresty

            I hate to jump into someone else's thread but this is exactly what I faced. My unit was upgraded by going into the CLI and running option 13 to Update from console. For me, that's always been the most risk-free way of upgrading. The solution was, as linked to above, running:

            pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
            Then:
            pkg-static upgrade -f
            Then:
            reboot

            1 Reply Last reply Reply Quote 0
            • S
              skylinetech
              last edited by

              bmeeks, again, thank you for your help. However, I've noticed things are not working correctly. I have stopped suricata on all interfaces yet it keeps blocking IP addresses.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @skylinetech
                last edited by bmeeks

                @skylinetech said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

                bmeeks, again, thank you for your help. However, I've noticed things are not working correctly. I have stopped suricata on all interfaces yet it keeps blocking IP addresses.

                In Legacy Mode, Suricata blocks by putting IP addresses in a special table in the firewall. Those addresses, once put there, remain until either periodically cleared by the "Remove Blocked Hosts" cron task (if enabled on the GLOBAL SETTINGS tab), they are manually removed by the user, or the firewall is rebooted (rebooting clears out the table as it is a RAM construct).

                Simply stopping Suricata will not remove those previous blocks. You have to do that manually by going to the BLOCKED HOSTS tab and clearing any blocks.

                The exception to this is Inline IPS Mode. When you top Suricata in that mode, the netmap pipe will be torn down and traffic will flow without drops.

                S 1 Reply Last reply Reply Quote 0
                • S
                  skylinetech @bmeeks
                  last edited by

                  @bmeeks , I'm sorry, I should have been more detailed. I'm in legacy mode and I have manually cleared the blocked hosts.
                  ...

                  Interfaces all stopped.
                  Blocks manually cleared.
                  Wait a few seconds/minutes.
                  Checking either the alerts and/or blocks...new ip's are blocked. !?!?

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @skylinetech
                    last edited by bmeeks

                    @skylinetech said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

                    @bmeeks , I'm sorry, I should have been more detailed. I'm in legacy mode and I have manually cleared the blocked hosts.
                    ...

                    Interfaces all stopped.
                    Blocks manually cleared.
                    Wait a few seconds/minutes.
                    Checking either the alerts and/or blocks...new ip's are blocked. !?!?

                    Then you have a zombie Suricata process still running. Do this to find it and kill it:

                    1. Stop Suricata on all interfaces using the GUI icon on the INTERFACES tab.

                    2. Open a shell prompt on the firewall and execute the following command sequence:

                    ps -ax | grep suricata
                    

                    You should see no running Suricata instances. If you do, get the process id <PID> of any running Suricata process, then use this command to kill that process:

                    kill -9 <pid>
                    
                    1. Run the following command again to verify no more Suricata processes exist:
                    ps -ax | suricata
                    

                    This won't remove any existing blocks, though. Like I said in my earlier post, you will need to go to the BLOCKED HOSTS tab and manually remove any existing blocks (this will clear the snort2c pf table).

                    Note: what I mean by "zombie process" is that it is a running instance of the Suricata binary that the GUI code has lost track of and thus can no longer control or see, but that instance will continue running using its configuration from startup (and it can continue to add IP addresses to the blocking table when its rules fire).

                    1 Reply Last reply Reply Quote 0
                    • G
                      genuine
                      last edited by

                      Hi,

                      I had the same problem with suricata afther the upgrade now i'm facing another problem i have tons of logs errors ips is in inline mode

                      <Error> -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write failed: libnet_write_raw_ipv4(): -1 bytes written (Permission denied)

                      <Error> -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write_raw_ipv4 failed: libnet_write_raw_ipv4(): -1 bytes written (Invalid argument)

                      Hope someone can help me out here

                      Kind Regards

                      Genine collin

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @genuine
                        last edited by bmeeks

                        @genuine said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

                        Hi,

                        I had the same problem with suricata afther the upgrade now i'm facing another problem i have tons of logs errors ips is in inline mode

                        <Error> -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write failed: libnet_write_raw_ipv4(): -1 bytes written (Permission denied)

                        <Error> -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(147)] - libnet_write_raw_ipv4 failed: libnet_write_raw_ipv4(): -1 bytes written (Invalid argument)

                        Hope someone can help me out here

                        Kind Regards

                        Genine collin

                        Is this with only DROP rules, or do you have some rules set to REJECT? And how is your pfSense firewall configured? Do you by chance have it in Bridge Mode?

                        You state you had the "same problem with Suricata after the upgrade". What problem precisely. Did you attempt to update Suricata BEFORE you updated pfSense to 2.4.5? If so, you probably have a hodge-podge of library versions on your box.

                        1 Reply Last reply Reply Quote 0
                        • G
                          genuine
                          last edited by genuine

                          sorry for the short explication
                          well after upgrading pfsense 2.4.5 he did also upgraded suricata with was not starting anymore.
                          so I did a clean uninstall and removed also the settings and did a reinstall
                          it was not starting I was looking in the log and there was a packet missing I think it was libluajit I'm not sure
                          so I installed the lib and suricata was starting up configured as inline mode
                          the error appear with drops and rejects
                          for the firewall it is configured as normal nothing exotic also not in bridge mode everything was working before the upgrade
                          without problems.
                          if i have a hodge-podge of library versions how can i check and fixed this

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @genuine
                            last edited by bmeeks

                            @genuine said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

                            sorry for the short explication
                            well after upgrading pfsense 2.4.5 he did also upgraded suricata with was not starting anymore.
                            so I did a clean uninstall and removed also the settings and did a reinstall
                            it was not starting I was looking in the log and there was a packet missing I think it was libluajit I'm not sure
                            so I installed the lib and suricata was starting up configured as inline mode
                            the error appear with drops and rejects
                            for the firewall it is configured as normal nothing exotic also not in bridge mode everything was working before the upgrade
                            without problems.
                            if i have a hodge-podge of library versions how can i check and fixed this

                            You very likely have a mixture of FreeBSD 11.2 and FreeBSD 11.3 libraries as a result of how you updated. That missing libjuit package is one example. I suspect your libdnet package might also be the wrong version and hence you are getting your current Suricata error. From your symptoms, I'm going to guess you were on pfSense 2.4.4 and saw an update for Suricata posted. But that Suricata update was for the 2.4.5 version of pfSense and has new shared library versions/dependencies that can only be satisfied when pfSense-2.4.5 is already installed. You installed the new Suricata onto a pfSense-2.4.4 system and it would not start (that missing libjuit package is a classic symptom of this upgrade path). So then you updated to pfSense-2.4.5, but that still will not properly update all of the dependent libraries that third-party packages might use. So now you are experiencing weird errors because of the library problems.

                            I would recommend you do this. You should reinstall pfSense itself from a clean install and then put your packages back. That will guarantee that you get the correct versions of all the supporting libraries.

                            If you don't want to perform a complete reinstall of pfSense, then try this series of commands to refresh the pkg database.

                            pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
                            

                            The commands above came from this link in the pfSense documentation: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html.

                            And next time you see a pfSense version upgrade notice on the Dashboard, DO NOT update any packages until AFTER you have upgraded pfSense to the new version!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.