(SOLVED) Suricata Interfaces have to be manually Restarted



  • Glad everything is working again. I was pretty certain I had fixed that bug, and the fact you were still seeing it was truly puzzling. I finally thought to have you check for runaway processes, and that turned out to be the problem. Those runaway processes would all be running memory-resident versions of the old Suricata binary (the one with the bug).

    Runaway processes can occur from time to time with the way so many things kick off a pfSense "restart all packages" command. So when you see weirdness or recurring problems, it's not a bad idea to pull a Microsoft Windows routine and just reboot the firewall. That will for sure clear out any runaway processes.



  • @bmeeks Would it be possible to check for those processes during the uninstallation of the package? So you can warn the user?



  • @digdug3 said in (SOLVED) Suricata Interfaces have to be manually Restarted:

    @bmeeks Would it be possible to check for those processes during the uninstallation of the package? So you can warn the user?

    That's a good idea. How about auto-kill any found processes during the uninstall? Would that be possible?



  • @digdug3 said in (SOLVED) Suricata Interfaces have to be manually Restarted:

    @bmeeks Would it be possible to check for those processes during the uninstallation of the package? So you can warn the user?

    It tries to do that now, but does so by looking for a PID file in /var/run. A crashed/runaway process may no longer have a valid PID file in /var/run.

    I can look at some other approaches using pgrep maybe to find all suricata processes and then force kill them. Me with Suricata and Snort, and the former package maintainers before me for Snort, have been struggling with multiple instances getting launched forever. It stems somewhat from the way pfSense itself will sometimes issue multiple "restart all packages" commands in response to WAN IP changes or changes in the WAN interface state or problems with a gateway. These multiple "restart all packages" commands can lead to multiple instances of Suricata (or Snort) running on an interface.



  • @bmeeks said in (SOLVED) Suricata Interfaces have to be manually Restarted:

    @digdug3 said in (SOLVED) Suricata Interfaces have to be manually Restarted:

    @bmeeks Would it be possible to check for those processes during the uninstallation of the package? So you can warn the user?

    It tries to do that now, but does so by looking for a PID file in /var/run. A crashed/runaway process may no longer have a valid PID file in /var/run.

    I can look at some other approaches using pgrep maybe to find all suricata processes and then force kill them. Me with Suricata and Snort, and the former package maintainers before me for Snort, have been struggling with multiple instances getting launched forever. It stems somewhat from the way pfSense itself will sometimes issue multiple "restart all packages" commands in response to WAN IP changes or changes in the WAN interface state or problems with a gateway. These multiple "restart all packages" commands can lead to multiple instances of Suricata (or Snort) running on an interface.

    That sounds like a pain to deal with. It would be great if another approach could be implemented.


Log in to reply