Suricata won't start after 3.0_10 update



  • I updated to the latest package for Suricata (3.0_10).  Now I have one firewall that will not start Suricata in blocking mode on my WAN interface.  The error I get has been discussed before, but with no useful resolution listed other than rummaging through the main config XML file for some stray character…  This is the error - [ERRCODE: SC_ERR_INVALID_ARGUMENTS(52)] - prefix or user NULL

    Even though I made no changes to any of them, I have pulled the suppress list and most of the aliases from my pass list… but I don't even know where the stray character is...  >:( >:( >:(

    Is there a better way to troubleshoot this problem?  Digging through XML files and converting base64 code seems pretty backward to me.

    Any help or suggestions would be greatly appreciated



  • This error has happened before - seriously - can no one explain how to fix it?  My bosses are losing patience, as am I, with the inability to get any answers from this forum - particularly pertaining to Suricata.  I'm going to be forced to buy some ridiculously priced commercial firewall if I can't get these issues fixed, which I really don't want to do.  Netgate is no help on this either - they apparently don't touch Suricata installations.

    Surely someone knows how to fix this… :-\


  • Banned

    @dhboyd26:

    My bosses are losing patience, as am I, with the inability to get any answers from this forum - particularly pertaining to Suricata.

    WTF dude? This is a community forum, not a commercial support, let alone with SLA. If you need one, then tell your bosses to buy you one.

    https://www.pfsense.org/get-support/



  • Already tried to get support from NetGate…. mentioned that in my post... they wouldn't help with Suricata - period.  So, I'm stuck with "the community".  I understand no one here is obligated to help anyone else, and that is fine, but the lack of enthusiasm for Suricata in general on these forums kind of bugs me.

    I can't run Suricata in Inline mode and I'm cool waiting for that.  I'd just drop back to Snort, which has enthusiastic support here, except for the fact that it can only scan ~20% of my traffic... I might as well turn it off.  Suricata examines over 99.5% of my traffic, except right now, it won't start on my only blocking interface, but only on the primary of my HA pair.  It starts fine on the backup firewall, so there is some kind of lower level corruption of the config files on my primary, but that is as far as I can troubleshoot.

    Just venting now... I'll shut up and get back to rebuilding my firewall.  :-\

    UPDATE: After a complete rebuild of my primary firewall AND a hardware change from Intel X710 adapters to Intel X520 adapters, Suricata is now humming along in Inline mode.  I want to thank those who responded helpfully to my posts during the process and especially thank Bill Meeks for maintaining the Suricata package.