Suricata fail to start



  • I am new to pfsense, so I am still learning. I been having trouble starting up my Suricata 4.0.12_2. I am running pfsense 2.4.3-RELEASE-p1 (amd64). In the logs it says the following.
    10/8/2018 -- 15:59:19 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    10/8/2018 -- 15:59:19 - <Info> -- CPUs/cores online: 8
    10/8/2018 -- 15:59:19 - <Info> -- HTTP memcap: 67108864
    10/8/2018 -- 15:59:19 - <Notice> -- using flow hash instead of active packets
    10/8/2018 -- 15:59:19 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!

    I removed what it wanted me to remove but still will not run. Also, that file comes back after trying to run.

    Ideas?



  • Is there any sort of associated error message in the pfSense system log? That log message does not offer much to troubleshoot from.

    You could try running some basic stuff from the command line. Sometimes that will show up other problems. Try this from a command line prompt at the firewall -

    /usr/local/bin/suricata -V

    That should result in Suricata loading long enough to report the version information and then exiting normally. Post back if you get an error message from that shell prompt.



  • Nothing under system logs. I see the log when I logged in but nothing after that. I did run that command is got the following back.

    This is Suricata version 4.0.5 RELEASE

    This also showed up in the system log after running that command.

    Aug 13 16:13:51 SuricataStartup 2366 Suricata START for WAN Firewall(7307_em0)...

    Try running Suricata again and got this from the Suricata log.

    10/8/2018 -- 15:32:26 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    10/8/2018 -- 15:32:26 - <Info> -- CPUs/cores online: 8
    10/8/2018 -- 15:32:26 - <Info> -- HTTP memcap: 67108864
    10/8/2018 -- 15:32:26 - <Notice> -- using flow hash instead of active packets
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 184
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 208
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 233
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 278
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 355
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 356
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=\%2Fload\.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 364
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 419
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 422
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 581
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 582
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 613
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 618
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 740
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 741
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    10/8/2018 -- 15:32:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_7307_em0/rules/suricata.rules at line 900
    10/8/2018 -- 15:32:27 - <Info> -- 1 rule files processed. 1205 rules successfully loaded, 16 rules failed
    10/8/2018 -- 15:32:27 - <Info> -- Threshold config parsed: 0 rule(s) found
    10/8/2018 -- 15:32:27 - <Info> -- 1206 signatures processed. 0 are IP-only rules, 337 are inspecting packet payload, 676 inspect application layer, 103 are decoder event only
    10/8/2018 -- 15:32:28 - <Info> -- fast output device (regular) initialized: alerts.log
    10/8/2018 -- 15:32:28 - <Info> -- http-log output device (regular) initialized: http.log
    10/8/2018 -- 15:32:28 - <Info> -- stats output device (regular) initialized: stats.log
    10/8/2018 -- 15:32:28 - <Info> -- dns-log output device (regular) initialized: dns.log
    10/8/2018 -- 15:32:28 - <Info> -- dns-log output device (regular) initialized: dns.log
    10/8/2018 -- 15:32:28 - <Info> -- Using 1 live device(s).
    10/8/2018 -- 15:32:28 - <Info> -- using interface em0
    10/8/2018 -- 15:32:28 - <Info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    10/8/2018 -- 15:32:28 - <Info> -- Set snaplen to 1518 for 'em0'
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    10/8/2018 -- 15:32:28 - <Info> -- RunModeIdsPcapAutoFp initialised
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
    10/8/2018 -- 15:32:43 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    10/8/2018 -- 15:32:43 - <Info> -- CPUs/cores online: 8
    10/8/2018 -- 15:32:43 - <Info> -- HTTP memcap: 67108864
    10/8/2018 -- 15:32:43 - <Notice> -- using flow hash instead of active packets
    10/8/2018 -- 15:32:43 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!
    10/8/2018 -- 15:32:50 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    10/8/2018 -- 15:32:50 - <Info> -- CPUs/cores online: 8
    10/8/2018 -- 15:32:50 - <Info> -- HTTP memcap: 67108864
    10/8/2018 -- 15:32:50 - <Notice> -- using flow hash instead of active packets
    10/8/2018 -- 15:32:50 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!
    10/8/2018 -- 15:35:01 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    10/8/2018 -- 15:35:01 - <Info> -- CPUs/cores online: 8
    10/8/2018 -- 15:35:01 - <Info> -- HTTP memcap: 67108864
    10/8/2018 -- 15:35:01 - <Notice> -- using flow hash instead of active packets
    10/8/2018 -- 15:35:01 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!



  • This error message here is your problem --

    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    10/8/2018 -- 15:32:28 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    

    Because you have an 8-core CPU you will need to greatly expand the TCP Stream Memory Cap. You will find the setting on the Flow/Stream tab for each configured Suricata interface. The package default is OK for quad-core processors, but 8-core processors will need to increase the value. Start by at least doubling the default and then work up from there until Suricata starts.

    Bill



  • I update it to 3 GB and new showing this in the logs.

    14/8/2018 -- 10:31:05 - <Notice> -- This is Suricata version 4.0.5 RELEASE
    14/8/2018 -- 10:31:05 - <Info> -- CPUs/cores online: 8
    14/8/2018 -- 10:31:05 - <Info> -- HTTP memcap: 67108864
    14/8/2018 -- 10:31:05 - <Notice> -- using flow hash instead of active packets
    14/8/2018 -- 10:31:05 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_em07307.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em07307.pid. Aborting!

    So I deleted the file and retried running Suricata. It worked! Thank you! I have a i7 4770S with 32 GB DDR3 1600 on this machine. Any benefit to increase the flow/stream memory cap more then 3 GB?



  • @yummy909 said in Suricata fail to start:

    I update it to 3 GB and new showing this in the logs.

    So I deleted the file and retried running Suricata. It worked! Thank you! I have a i7 4770S with 32 GB DDR3 1600 on this machine. Any benefit to increase the flow/stream memory cap more then 3 GB?

    Probably not. 3 GB should be sufficient. It really would depend on the amount of traffic. Really high traffic loads with lots of different connections might benefit from more, but I would run with the 3 GB value first and see how things look. There is a crude formula for calculating the initial TCP Stream Memory Cap value, but I don't recall it off the top of my head. There is an older thread here in the IDS/IPS sub-forum that has the formula. You can search for that thread or else run a Google query.

    Bill



  • Awesome! I will put it through some tests. I do notice I am getting a little over half of my gigabit speed with Suricata on. CPU usage only goes up to 7%. Any settings that could be turn on to use more of the CPU to speed up the speed?



  • @yummy909 said in Suricata fail to start:

    Awesome! I will put it through some tests. I do notice I am getting a little over half of my gigabit speed with Suricata on. CPU usage only goes up to 7%. Any settings that could be turn on to use more of the CPU to speed up the speed?

    The number of enabled rules has a big impact on performance. There are a ton of tuning options for Suricata since it is multi-threaded. Google research would be called for ... ☺ . The package defaults are not necessarily optimal for all networks, so you can do a little research and experiment with some of the settings.



  • I gotcha. I will do some searching. Thank you for help getting over that hump. I didn't read that anywhere, where the core count causing that issue. Wonder what else that is effecting.



  • @yummy909 said in Suricata fail to start:

    I gotcha. I will do some searching. Thank you for help getting over that hump. I didn't read that anywhere, where the core count causing that issue. Wonder what else that is effecting.

    The Suricata developers have worked on making that error message offer a better hint to the solution, but they still have a ways to go. There was some discussion about it on their bug site several months ago. This particular issue has bitten a handful of Suricata users on pfSense that have high core count CPUs.

    Bill