Suricata not visible in menu

bmeeks

@defender110 said in Suricata not visible in menu:

@bmeeks Well...no. Not at the moment. Even though I think I should, as I am running it on a SSD.
I had toyed with this, but I kept running out of space on /var/run after 4-5-6 days, even when I set the max size to 200. I am not sure why. It started at maybe 10% and over the days filled up.
I have not tackeled that issue yet.

I asked about the RAM disk because it is generally a very bad idea, especially for packages. So you DO NOT want to use a RAM disk. I was asking just in case you might have been using one. They are bad for precisely the issue you stated -- you run out of space unexpectedly and weird things then happen in the applications.

defender110

@bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
Thanks loads!

bmeeks

@defender110 said in Suricata not visible in menu:

@bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
Thanks loads!

Modern SSDs don't have the issues with frequent writes that the first generation SSDs had.

defender110

@bmeeks Right. I guess I am out of luck then. Will have to deal with Snort in this case, because that actually installs just fine.
Thanks for the help though!

bmeeks

My only remaining theory at this point is that something is maybe weird in the config.xml on this problem machine. The SERVICES menu is populated from information contained in a section of the config.xml file.

Look through it (in /conf) to see if the formatting appears good. It is a standard XML file. It's got to be something specific to this machine since it works for you on another machine. You would expect package or pfSense bugs to show up on both machines.

tim_co

I've spent the last 24 hours working a very similar problem. I'm sleep deprived so sorry if this is rambling...

I was trying to restore an encrypted backup from/to 2.4.5-RELEASE-p1. Every time I'd do a restore, the "reinstalling packages in the background..." message would hang. Eventually I'd have a system that appeared to be running normally but "Suricata" was not showing in the Services menu or in the "Service Status" widget. It was showing as an installed package. The system logs showed the WatchDog service was repeatedly trying to restart Suricata and failing. And the message that packages were installing in the background would only go away if forced.

I'd go through the whole clear key, reinstall packages process. I tried restoring to fresh installs of 2.4.5-RELEASE-p1, I tried restoring older backups, more recent backups. Always the same result. I tried manually removing and reinstalling every installed package.

In addition to Suricata acting wacky, sometimes DarkStat, pfBlockerNG, and nut would freak out. By killing locked processes, I'd eventually be able to get everything back with the exception of Suricata which always ended up in the same state described above.

It wasn't until I stumbled across this post and saw the suggestion to try accessing the settings via the URL below.

https://pfSense.localhost/suricata/suricata_interfaces.php

I was able to access the settings and noticed that none of the "INSTALLED RULE SET MD5 SIGNATURES" had downloaded. When I forced the download, the Suricata package reinstall went a step further than it did before but still without any errors. This reminded me of seeing a MaxMind download error on the console or in the logs during one of many re-installs last night. I checked the restored "GeoLite2 DB License Key" and it was still showing my older style (more characters) MaxMind key from before the recent requirement to "register for a free MaxMind user account." When I replaced the older key with my new shorter "GeoLite2 DB License Key", I was able to remove and reinstall the Suricata package on the first try.

For the record, the DarkStat service was also acting really weird. When I finally got things to work, I'd also just removed DarkStat without a reinstall. Maybe unrelated but worth noting.

Anyway, I thought this nugget of information might identify a bug in the backup and restore of Suri and/or help someone else with the problem.

Now I sleep.

Regards - Tim

bmeeks

@tim_co said in Suricata not visible in menu:

The system logs showed the WatchDog service was repeatedly trying to restart Suricata and failing. And the message that packages were installing in the background would only go away if forced.

This is very likely the cause of your problems. I've said in these forums dozens of times "DO NOT RUN THE SERVICE WATCHDOG PACKAGE WITH SURICATA OR SNORT!!!".

That package does not know how to properly monitor the IDS packages nor does it understand they stop and restart themselves automatically for several reasons (uninstall, rules updates and rules downloads following fresh installs or updates). Service Watchdog only knows to monitor for an instance of the Suricata or Snort daemon, and when it does not see a copy of the daemon it tries to restart the package. That can cause all manner of chaos when Snort or Suricata is trying to update itself and/or download and update rules and automatically restart.

If you have multiple configured Suricata or Snort interfaces, the Service Watchdog package is even more useless as it only looks for a single running daemon. If it sees one, it is happy. However, when you run multiple interfaces there are multiple copies of the daemon running (one per configured interface). So you could have Suricata or Snort dead on the LAN due to some failure but still running on the WAN. Service Watchdog would be blindly happy because it would see a single copy of the daemon running and think everything is fine. But it really is not because the LAN instance is dead, but Service Watchdog does not know how to determine that.

Remove the Service Watchdog package and I bet all of the problems you described with all of the packages will disappear.

tim_co

@bmeeks - Per my post, "When I replaced the older key with my new shorter "GeoLite2 DB License Key", I was able to remove and reinstall the Suricata package on the first try." was what resolved my issue. Period. I didn't touch the watchdog service. It's been running for years, its still running, and it was running while I applied the fix.

If you'd like to continue to opine about the watchdog service, suricata/snort, and ignorant folks like me who choose run the two together, please start a new post. Somewhere else. No need to reply speculating about how my conclusions were flawed and it was really all the watchdog service. You've made your opinion on the matter crystal clear. I am not a smart man.

I've been up for nearly 24 hours straight working on this. Please understand all caps elitist arrogant condescending posts are why I rarely contribute on highly technical forums anymore.

I rely on pfsense and was pleased to feel I was making a small contribution. I felt I had something that might help the community. I won't be made to feel small. I respectfully reject your hypothesis.

No need to reply. Move along. Thank you.

Edit - @bmeeks you're obviously free to reply but I won't be reading anything you write.

bmeeks

@tim_co said in Suricata not visible in menu:

@bmeeks - Per my post, "When I replaced the older key with my new shorter "GeoLite2 DB License Key", I was able to remove and reinstall the Suricata package on the first try." was what resolved my issue. Period. I didn't touch the watchdog service. It's been running for years, its still running, and it was running while I applied the fix.

If you'd like to continue to opine about the watchdog service, suricata/snort, and ignorant folks like me who choose run the two together, please start a new post. Somewhere else. No need to reply speculating about how my conclusions were flawed and it was really all the watchdog service. You've made your opinion on the matter crystal clear. I am not a smart man.

I've been up for nearly 24 hours straight working on this. Please understand all caps elitist arrogant condescending posts are why I rarely contribute on highly technical forums anymore.

I rely on pfsense and was pleased to feel I was making a small contribution. I felt I had something that might help the community. I won't be made to feel small. I respectfully reject your hypothesis.

No need to reply. Move along. Thank you.

Edit - @bmeeks you're obviously free to reply but I won't be reading anything you write.

Just in case you do decide to return and read this post, I am the creator of the Suricata package and the maintainer of the Snort package, so I am quite familiar with how the code in both of them works and how Service Watchdog does not work well with either of them. I once investigated modifying Service Watchdog to make it perform better with the two IDS/IPS packages, but too many changes were required and the effort was abandoned. I opine about the combination of Service Watchdog and the IDS/IPS packages because so many folks inadvertently shoot themselves in the foot with the combination. And it usually takes a while to drag it out of them that they are using Service Watchdog when I am trying to diagnose their issue.

Your change in the MaxMind key would have no bearing on Suricata as it did not use the key until the most recent MaxMind change requiring registration at the end of last year. Suricata never stored a MaxMind key prior to January 2020 as one was not required. So you should never have had a longer MaxMind key for Suricata as it used the old free database with no login requirement. Could you be confusing the MaxMind key with a requirement in pfBlockerNG as that package used the newer database much sooner than Suricata? Or have you changed your Suricata MaxMind key recently (as in after January 2020 when the requirement first appeared in Suricata)?

DaddyGo

@tim_co

more respect for colleagues
and before you write, find out who you are talking to......
I don't want to defend Bill, it's my own opinion

but now you have compromised yourself highly

tim_co

@DaddyGo - Did you research who I am before lecturing me? Political BS is the other reason I don't post anymore. I don't honestly care who Bill is or the consequences of speaking facts. All people, no matter their position, earn my respect. Nobody with a shred of integrity and/or self respect is obligated to Google who their "bully" is (yep, I said the B word) before defending themselves. Ever. This is a forum, not my employer, not the UN, not my place of worship. Ergo I'll wear my star of "compromised highly" with pride.

Bill - I've slept. I read your post. Thank you for replying without all caps or suggesting I'm stupid. I appreciate you explaining how watchdog works. It sounds like I should probably turn it off.

It was this "Or have you changed your Suricata MaxMind key recently (as in after January 2020 when the requirement first appeared in Suricata)?"

I have two strings in my psafe under maxmind, geo safe, (whatever it's various names have been I'm not in front of my computer). One looked to be 30+ characters. The other was much shorter. My notes indicated the shorter string was more recent (last 6 months, I recall changing it). The restore dropped in the longer string. When I replaced it with the shorter/new string, Suricata worked again.

All - Since titles seem important here. You can call me Daddy. I resigned as the Director of Security and Audit for the NA side of an international IT consulting firm in 2011 when my son, who was 18 months old at the time, was showing signs of being a different learner. My daughter was 3. My wife is an EE for a medical device company. We eventually discovered my son and I both have the same learning "disability". Yesterday was his 11th birthday. He's thriving. If any of you ever have an opportunity to be a stay at home parent, I'd encourage you to give it a try. You'll never see the world the same after.

Since resigning, I've maintained an unnecessarily complex server and network environment largely in an attempt to be employable but also because I love this shit. My career focus was OS security. Pfsense is my first foray into networking. Everything I know I've taught myself. I'm very much a hands on learner.

Per my first post, I rely heavily on pfsense not only to secure my wife's home office, our email server, my kids online activities, but it keeps my attention. It's an incredibly powerful, interesting, and impressive tool. I have a great deal of respect for all of you who contributed to it's creation. However, as I once told one of my most gifted (and favorite) employees, "We both know your brilliant enough that you'll always have a job. However, unless you can learn to play nice, treat lesser mortals with courtesy and professionalism, and generally act like a grown up, you're severely limiting your opportunities for advancement. If that's what you want, cool. But you still have to treat EVERYONE with at least feigned respect. Now go back to your hole. :)". We still meet for lunch regularly.

DaddyGo

@tim_co

no comment....
(my kids have been starting their own family for a long time, so you didn't get the comment - from a young man...)
thanks for everything

bmeeks

@tim_co said in Suricata not visible in menu:

Bill - I've slept. I read your post. Thank you for replying without all caps or suggesting I'm stupid. I appreciate you explaining how watchdog works. It sounds like I should probably turn it off.

Upon further reflection I can see how you interpreted the ALL CAPS as being demeaning, but that was not my intent. My intent was to draw focus to the statement; and especially for other users who might see the comment. I am a bit sensitive about Service Watchdog as that package has been the cause of several recent "issues" posts from IDS/IPS users. It's similar to my "rants" against RAM disks when using the IDS/IPS packages. RAM disks similarly cause users lot of self-inflicted issues with the IDS/IPS packages (most commonly because the user fails to allocate enough space).

Still not sure how the MaxMind key could have been the difference in success versus failure. That should have only resulted in the MaxMind DB download failing. That should not be fatal to the rest of the package install process. I can see how Service Watchdog could be problematic, though.

tim_co

@bmeeks - Bill - I've been meaning to log on and say thanks for your reply. I read it a while back but I wasn't in a position (or condition) to reply. I sincerely appreciate you taking the time to reconsider my initial response. IMHO making an effort to put yourself in someone else's shoes shows strong character. Thank you.

I also owe you an apology for overreacting. Life is just straight up fucking hard right now. Presumably for everyone. Personally, in addition to the daily drama of living in a world wide pandemic, I constantly feel like I'm teetering on the edge of being in over my head with my entire network environment. I upgraded too much shit too fast.

For the record, I've since done several pfSense restores and the correct maxmind key now shows up but Suricata still won't reinstall properly. With each new restore, I'm learning a bit more and finding things I setup wrong (older snort rules, snort subscriber rules won't download, some other stuff I can't remember). Each time i find another problem, the subsequent restore gets closer to working. Ultimately I always end up having to completely uninstall and reinstall Suricata, force an update of the rules, and everything seems happy.

Suricata is a bad-ass powerful tool. Thanks for all your hard work on it. I sleep better at night knowing it's working.