Suricata/Snort not starting (Resolved)



  • I've routed all my traffic through an OpenVPN connection for security and now I want to monitor the VPN connections with Suricata / Snort for added security but:

    1. I don't know what interface I should listen on as ideally there would be one for OpenVPN itself.

    2. When I attempt to begin listening on either the LAN or WAN interface it doesn't start, just gives me the red X.

    Any help is greatly appreciated, Thanks in advance.

    John.

    Update
    Check latest reply for solution, this worked for me however it may not work for you.



  • @JohnSCarter:

    I've routed all my traffic through an OpenVPN connection for security and now I want to monitor the VPN connections with Suricata for added security but:

    1. I don't know what interface I should listen on as ideally there would be one for OpenVPN itself
    2. When I attempt to begin listening on either the LAN or WAN interface it doesn't start, just gives me the red X.

    Any help is greatly appreciated, Thanks in advance.

    John.

    Update:-
    The same happens when I've installed Snort.

    More information is needed in order to assist you with troubleshooting.  For starters, look in the System Log if running Snort and see what if any error messages get posted.  The "red X" indicates the service did not start.  I assume you are clicking on the start icon on the INTERFACES tab after the initial configuration.  If it fails to start, an error message should get logged to assist with troubleshooting.  For Suricata, you will find the error messages in the suricata.log file which you can view under the LOGS VIEW tab in Suricata.  Select the suricata.log file in the drop-down on that tab.

    OpenVPN should have no impact on either package.

    Bill



  • @bmeeks:

    @JohnSCarter:

    I've routed all my traffic through an OpenVPN connection for security and now I want to monitor the VPN connections with Suricata for added security but:

    1. I don't know what interface I should listen on as ideally there would be one for OpenVPN itself
    2. When I attempt to begin listening on either the LAN or WAN interface it doesn't start, just gives me the red X.

    Any help is greatly appreciated, Thanks in advance.

    John.

    Update:-
    The same happens when I've installed Snort.

    More information is needed in order to assist you with troubleshooting.  For starters, look in the System Log if running Snort and see what if any error messages get posted.  The "red X" indicates the service did not start.  I assume you are clicking on the start icon on the INTERFACES tab after the initial configuration.  If it fails to start, an error message should get logged to assist with troubleshooting.  For Suricata, you will find the error messages in the suricata.log file which you can view under the LOGS VIEW tab in Suricata.  Select the suricata.log file in the drop-down on that tab.

    OpenVPN should have no impact on either package.

    Bill

    Hello Bill, thanks for the quick reply.

    Here's the output from the system logs for both Snort and Suricata:

    Snort
    https://gyazo.com/03e6f771c7f3af1864e6642a986d2f4a

    Suricata
    https://gyazo.com/3f3fd2ce825332c01738eb7b448ed388

    John.



  • For anyone who's interested in the resolution:

    Problem:
    Snort/Suricata wouldn't start

    Solution:
    Go into the interface settings and go through ALL the tabs and fill in the default (or custom) value  then restart. It's essentially trying to run without having all the settings there which makes it stop.

    John.



  • Glad you got it sorted out.  Both packages should have the necessary defaults set for critical parameters, but there is still some required initial configuration before you can just click Start.

    1. On the GLOBAL SETTINGS tab you must select the rules you want to download and use (Snort, Emerging Threats and/or Snort GPLv2).

    2. Then you have to go to the UPDATES tab and actually download the rules packages.

    3. Next you go to the INTERFACES tab and configure one or more interfaces.  For each interface you select if you want to use the default IDS mode or if you want to enable blocking.  I recommend choosing to stay with just IDS mode at first with no blocking.

    4. Now you have to go to the CATEGORIES tab for each configured interface and select which rule categories from your downloaded rulesets you want to activate for that interface.  You can also choose to use a pre-configured Snort IPS Policy if you enabled the Snort rules on the GLOBAL SETTNIGS tab.

    5.  After all of the above steps are complete (be sure you clicked the SAVE button at each step), you can go to the INTERFACES tab and start Snort (or Suricata).  It should start up.

    Bill



  • @bmeeks:

    Glad you got it sorted out.  Both packages should have the necessary defaults set for critical parameters, but there is still some required initial configuration before you can just click Start.

    1. On the GLOBAL SETTINGS tab you must select the rules you want to download and use (Snort, Emerging Threats and/or Snort GPLv2).

    2. Then you have to go to the UPDATES tab and actually download the rules packages.

    3. Next you go to the INTERFACES tab and configure one or more interfaces.  For each interface you select if you want to use the default IDS mode or if you want to enable blocking.  I recommend choosing to stay with just IDS mode at first with no blocking.

    4. Now you have to go to the CATEGORIES tab for each configured interface and select which rule categories from your downloaded rulesets you want to activate for that interface.  You can also choose to use a pre-configured Snort IPS Policy if you enabled the Snort rules on the GLOBAL SETTNIGS tab.

    5.  After all of the above steps are complete (be sure you clicked the SAVE button at each step), you can go to the INTERFACES tab and start Snort (or Suricata).  It should start up.

    Bill

    Checklist:

    1. Done

    2. Done

    3. Done, no blocking yet.

    4. Done.
      4b) How would I determine which services would be affected and if I need them?

    5. Done

    Know this verges into opinion but do you think that the paid rules are worth the money? (Snort Subscriber, ETPro rules etc)

    Thanks for your time,

    John.



  • Hi, I have basic payed Snort subscription $30 CND a year and it stopped most if not all weird staff I had experienced before.
    Pro is good option if you hold customers or other sensitive data or working in IT security for living.
    Good luck.



  • @gryest:

    Hi, I have basic payed Snort subscription $30 CND a year and it stopped most if not all weird staff I had experienced before.
    Pro is good option if you hold customers or other sensitive data or working in IT security for living.
    Good luck.

    Thanks for the response gryest, have you tried the ETPro rules?

    John.



  • ET-Pro rules are extraordinarily expensive for a home user.  As in $1541.99 US per year according to an offer at CDW.  Snort Subscriber rules for home use are $29.99 US per year.  I have the Snort rules subscription.  Snort also offers a free version called "Registered User" where you signup with an account ID.  These rules are the same as the subscriber rules, but the difference is how current they are.  New rules that are added to the subscriber set don't show up in the free set until at least 30 days after they are published in the subscriber set.

    Bill



  • @JohnSCarter:

    1. Done.
      4b) How would I determine which services would be affected and if I need them?

    Know this verges into opinion but do you think that the paid rules are worth the money? (Snort Subscriber, ETPro rules etc)

    Thanks for your time,

    John.

    The answer to #4 is not simple.  An IDS/IPS is not an "install and turn on" kind of system like say an anti-virus client might be.  There is much knowledge about networking and malware required in order to understand how to configure and operate an IDS/IPS.  Google is your best source of initial knowledge about the topic.

    The closest thing I can recommend to "turn it on and just work" is to subscribe to the Snort rules (either paid or free), choose to use IPS Policy on the CATEGORIES tab and set the policy to "Connectivity".  Let things run that way for at a least a week and keep an eye on the ALERTS tab to see what kind of alerts you receive.  Each of these alerts will be "blocks" when you enable blocking mode, so you want to understand which are false positives so those particular rules can be disabled or suppressed.  You can research each alert using the school of Google …  ;) ... to help you discern which are false positives for your environment.

    Bill



  • Very useful thread; Hope it's OK to ask another clarifying question:

    On the "categories" tab; If "Use IPS Policy" is checked with a "Balanced" policy selected, do I still need to pick any of the rulesets under the "Select the rulesets (Categories) Snort will load at startup" section?
    Or will selecting any of the "Ruleset: ET Open Rules" will be redundant?



  • @sterlinggold:

    Very useful thread; Hope it's OK to ask another clarifying question:

    On the "categories" tab; If "Use IPS Policy" is checked with a "Balanced" policy selected, do I still need to pick any of the rulesets under the "Select the rulesets (Categories) Snort will load at startup" section?
    Or will selecting any of the "Ruleset: ET Open Rules" will be redundant?

    An IPS policy will only use Snort Subscriber rules.  That's because only that rule set contains the special metadata keywords used to "build" the IPS Policy you select.  The Snort Subscriber rules team adds tags to their rules which indicate which IPS policy the rule should participate in and what the rule action should be.  Note that a rule may exist in more than one policy.

    Emerging Threats is a different rule set vendor and they have chosen not to provide policy metadata tags.  So the short answer to your question is "no", when you choose an IPS Policy no ET rules would be automatically used.  If you want to use any of them, you would need to check the boxes for the categories you want.  That's why when you select an IPS Policy the "Snort" selections are greyed-out but the ET selections are not.

    Bill



  • @bmeeks said in Suricata/Snort not starting (Resolved):

    Glad you got it sorted out.  Both packages should have the necessary defaults set for critical parameters, but there is still some required initial configuration before you can just click Start.

    1. On the GLOBAL SETTINGS tab you must select the rules you want to download and use (Snort, Emerging Threats and/or Snort GPLv2).

    2. Then you have to go to the UPDATES tab and actually download the rules packages.

    3. Next you go to the INTERFACES tab and configure one or more interfaces.  For each interface you select if you want to use the default IDS mode or if you want to enable blocking.  I recommend choosing to stay with just IDS mode at first with no blocking.

    4. Now you have to go to the CATEGORIES tab for each configured interface and select which rule categories from your downloaded rulesets you want to activate for that interface.  You can also choose to use a pre-configured Snort IPS Policy if you enabled the Snort rules on the GLOBAL SETTNIGS tab.

    5.  After all of the above steps are complete (be sure you clicked the SAVE button at each step), you can go to the INTERFACES tab and start Snort (or Suricata).  It should start up.

    Bill

    @bmeeks @JohnSCarter

    Guys, even after following all the guidelines, my snort and suricata packages remain disabled even in the "Status" -> "Services" option. Trying to enable them from the "Interfaces" option in "Services" -> "Snort" or "Suricata" is also not working. The log files e.g. suricata.log are also empty. System log file show the following message (for Suricata) which seem to be normal but still these services don't start:

    May 3 22:04:56	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Suricata START for WAN(bce0)...
    May 3 22:04:56	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Building new sid-msg.map file for IPCORE...
    May 3 22:04:55	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Updating rules configuration for: IPCORE ...
    May 3 22:04:55	php-fpm	63967	/suricata/suricata_interfaces.php: Starting Suricata on IPCORE(bce0) per user request...
    May 3 22:04:41	SuricataStartup	20258	Suricata START for WAN(39898_bce0)...
    May 3 22:04:25	check_reload_status		Syncing firewall
    

    I have tried enabling snort and suricata from terminal by the following commands:

    /usr/local/etc/rc.d/snort start
    /usr/local/etc/rc.d/suricata start
    

    The output says the service has started however "ps -ef | grep snort" or suricata doesn't show up anything.

    The following commands also say that the service is "not" running:

    /usr/local/etc/rc.d/snort status
    /usr/local/etc/rc.d/suricata status
    

    I have checked all this on both snort and suricata by having installed only one of these packages at a time, to avoid any conflicts between these packages, if any. However, no success.

    My pfsense version is: 2.4.4-RELEASE-p2
    FreeBSD version is 11.2-RELEASE-p6
    Snort version is 3.2.9.8_5
    Suricata version is 4.1.2_3

    Please help...

    Regards,

    Rizwan



  • @rizkhan99 said in Suricata/Snort not starting (Resolved):

    @bmeeks @JohnSCarter

    Guys, even after following all the guidelines, my snort and suricata packages remain disabled even in the "Status" -> "Services" option. Trying to enable them from the "Interfaces" option in "Services" -> "Snort" or "Suricata" is also not working. The log files e.g. suricata.log are also empty. System log file show the following message (for Suricata) which seem to be normal but still these services don't start:

    May 3 22:04:56	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Suricata START for WAN(bce0)...
    May 3 22:04:56	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Building new sid-msg.map file for IPCORE...
    May 3 22:04:55	php		/tmp/suricata_bce039898_startcmd.php: [Suricata] Updating rules configuration for: IPCORE ...
    May 3 22:04:55	php-fpm	63967	/suricata/suricata_interfaces.php: Starting Suricata on IPCORE(bce0) per user request...
    May 3 22:04:41	SuricataStartup	20258	Suricata START for WAN(39898_bce0)...
    May 3 22:04:25	check_reload_status		Syncing firewall
    

    I have tried enabling snort and suricata from terminal by the following commands:

    /usr/local/etc/rc.d/snort start
    /usr/local/etc/rc.d/suricata start
    

    The output says the service has started however "ps -ef | grep snort" or suricata doesn't show up anything.

    The following commands also say that the service is "not" running:

    /usr/local/etc/rc.d/snort status
    /usr/local/etc/rc.d/suricata status
    

    I have checked all this on both snort and suricata by having installed only one of these packages at a time, to avoid any conflicts between these packages, if any. However, no success.

    My pfsense version is: 2.4.4-RELEASE-p2
    FreeBSD version is 11.2-RELEASE-p6
    Snort version is 3.2.9.8_5
    Suricata version is 4.1.2_3

    Please help...

    Regards,

    Rizwan

    First of all, you do not start/stop these packages using the command line. You need to do it from the GUI on the INTERFACES tab in either Snort or Suricata (depending on which you have installed at the moment).

    Have you done all of the steps outlined in my previous post? If so, then go to SERVICES > SURICATA and the Interfaces tab will be showing. Click the start icon to start the process. You will see a green gear spinning while the process starts up. If it fails to start, then you will find the reason by going to the LOGS VIEW tab and opening and viewing the suricata.log file for the interface you tried to start up.

    If the above steps do not either resolve the issue or give you a clue on what's wrong (Suricata is very good about logging any errors during startup), then open a CLI session on the firewall and type this command just to see if Suricata and its dependencies are properly installed:

    /usr/local/bin/suricata -v
    

    That should result in a printout to the terminal showing the installed Suricata version and some basic copyright info. If you see any messages about missing libraries or anything else, then Suricata did not properly install. For what it's worth, the only time I've seen an empty suricata.log file for an interface is when the installation did not complete and therefore some dependency library is missing. In that case, Suricata can't even start as the OS will refuse to start it due to the missing libraries. When it isn't allowed to start by the OS, then of course it can't log anything to the suricata.log file for the interface. If that's what is happening in your case, then the CLI command I posted will uncover the problem.

    Post back here what you find if you still have problems.


Log in to reply