Suricata 4.1.5_1 on pfsense 2.5.0-DEVELOPMENT (amd64) can't start



  • Hi guys,

    I'm currently testing pfsense 2.5.0-DEVELOPMENT (amd64) and suricata 4.1.5_1. I'm having a problem with suricata service not running but banyard2 is running? Below is the screenshot of my test box.

    Thanks in advance.

    Screenshot_20191108_190036.png


  • LAYER 8

    i'm currently using it on my 2.5 without any problem, do you have anything on the log?
    Status / System Logs / System General
    you should disable Barnyard2, it's old, unsupported and it will be removed, it could be the cause of your problem.
    delete the interfaces, reboot and recreate it without barnyard2



  • @kiokoman

    Thanks for your reply. I already removed banyard2. Still suricata can't start.

    Screenshot_20191108_195415.png
    Screenshot_20191108_195458.png



  • I have experience this bug.
    Screenshot_20191108_201642.png


  • LAYER 8

    uhm idk maybe try to uninstall and reinstall suricata, remember to remove this option before uninstalling

    Immagine.jpg

    or maybe @bmeeks can help you about this



  • @war said in Suricata 4.1.5_1 on pfsense 2.5.0-DEVELOPMENT (amd64) can't start:

    I have experience this bug.
    Screenshot_20191108_201642.png

    That PHP crash report is very confusing. When I look in that GUI package source code file, there is no such line using the explode() function at that line number. The function is actually called a few lines above. Nevertheless, I don't think that will cause Suricata not to start. That is just a warning message from the PHP compiler. I will address that issue in the next GUI package update.

    To see why Suricata is not starting, you need to look in the suricata.log file for the interface. Go to the LOGS VIEW tab and select a Suricata interface in the drop-down. Then choose suricata.log in the drop-down log file chooser. Read through that log and see what Suricata complains about. It should list any errors preventing startup in there.



  • Hi guys,

    This is the output of my suricata logs.

    Screenshot_20191111_182459.png
    Screenshot_20191111_182446.png
    Screenshot_20191111_182414.png
    Screenshot_20191111_182430.png


  • LAYER 8

    from console delete that file

    rm /var/run/pid/suricata*
    

    try to start it again



  • Do what @kiokoman said and that should let Suricata start.

    That error message indicates the running Suricata process crashed and did not have a chance to clean up after itself.



  • Hi guys,

    I already deleted /var/run/suricata*, there is no /var/run/pid/suricata*. error is still the same.

    Screenshot_20191112_193932.png
    Screenshot_20191112_193918.png


  • LAYER 8

    nope, not the same, the error is now different,
    now.. i see you have 16 cores
    increase the Stream Memcap value on the FLOW/STREAM tab (inside interface) to at least 256 MB and try to start again, increse that value until it run. remove the pid again if necessary



  • @kiokoman is right again. High core-count CPUs will need way more TCP stream memory than the default.



  • Thanks guys its now working.


Log in to reply