Suricata fails to Start - pfSense 2.5 Release

NollipfSense

Flow memory cap = 1GB (1000000000) on a system I am admin (not mine) and Suricata still fails ... log:

20/2/2021 -- 01:45:07 - <Notice> -- This is Suricata version 5.0.5 RELEASE running in SYSTEM mode
20/2/2021 -- 01:45:07 - <Info> -- CPUs/cores online: 8
20/2/2021 -- 01:45:07 - <Info> -- HTTP memcap: 67108864
20/2/2021 -- 01:45:07 - <Notice> -- using flow hash instead of active packets
20/2/2021 -- 01:45:07 - <Info> -- fast output device (regular) initialized: alerts.log
20/2/2021 -- 01:45:07 - <Info> -- http-log output device (regular) initialized: http.log
20/2/2021 -- 01:45:07 - <Info> -- 1 rule files processed. 301 rules successfully loaded, 0 rules failed
20/2/2021 -- 01:45:07 - <Info> -- Threshold config parsed: 0 rule(s) found
20/2/2021 -- 01:45:07 - <Info> -- 301 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 130 inspect application layer, 103 are decoder event only
20/2/2021 -- 01:45:07 - <Info> -- Using 1 live device(s).
20/2/2021 -- 01:45:07 - <Info> -- using interface igb0
20/2/2021 -- 01:45:07 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
20/2/2021 -- 01:45:07 - <Info> -- Set snaplen to 1518 for 'igb0'
20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
20/2/2021 -- 01:45:07 - <Info> -- RunModeIdsPcapAutoFp initialised
20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

bmeeks

Keep increasing the value. 8 cores will take a lot of memory for stream reassembly. It's just the way the internal engines in Suricata work.

Edit: just realized after looking again at your screenshot that you are likely changing the wrong value. You want to increase the Stream Memcap value, not the Flow Memory Cap.

Pay close attention to the error message in the log:

20/2/2021 -- 01:45:07 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?

It is telling you to increase the stream.memcap, not flow.

NollipfSense

@bmeeks Okay Bill, that did it, thank you, all is good!