Suricata not visible in menu

defender110 · Feb 13, 2020, 7:18 PM

Hi All!
I am fairly new in the game and I am having trouble with Suricata. The package is installed, but it is not visible anywhere in the menue. I tried deinstalling and installing it again...unfortunately no difference.
Snort will install and is visible once installed, but I prefer to go with Suricata because of the multi-core support.
Is there any trick or is this a known issue?
Thanks for your advice!
Marco

SteveITS · Feb 13, 2020, 7:26 PM

I have not seen that. Are you on the latest pfSense version?

defender110 · Feb 13, 2020, 7:34 PM

@teamits Yes, I am. I attached you some screenshots. Its supposed to show up under services, right?
At least thats where Snort is when its installed.

SteveITS · Feb 13, 2020, 7:40 PM

Yes it shows under Services. Did you try logging out, empty browser cache, etc.? Normally it's immediately visible. Perhaps temporarily uncheck the option to save Suricata configuration on uninstall, then uninstall and reinstall?

bmeeks · Feb 14, 2020, 5:28 AM

If it's not visible under SERVICES, then the package did not complete installation. You need to examine the pfSense system log to see if anything helpful is printed there. You also need to carefully read and pay attention to any and all messages printed to the status window while the package is installing.

Most likely something is bombing with the download of a rules tarball. But you will need to review the status window of the package installation screen and the pfSense system log to see what clues are there. Post back here with your findings.

And this, hopefully, goes without needing to be said. Do not navigate away from the package installation screen until you see the green bar and status message indicating the installation is complete and succeeded.

defender110 · Feb 14, 2020, 5:25 AM

@teamits I tried different browsers on different PCs. No difference.
Where do I find the option to delete the Suricata data? Could not find it when uninstalling and reinstalling.

defender110 · Feb 14, 2020, 5:28 AM

@bmeeks Thank you. I followed your advice. Unfortunately no success yet. I post the log...maybe you will be able to tell more from this?

>>> Installing pfSense-pkg-suricata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 13 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
pfSense-pkg-suricata: 4.1.6_3 [pfSense]
suricata: 4.1.6 [pfSense]
libyaml: 0.1.6_2 [pfSense]
nss: 3.39 [pfSense]
nspr: 4.20 [pfSense]
libpcap: 1.8.1 [pfSense]
libnet: 1.1.6_5,1 [pfSense]
py27-yaml: 5.1 [pfSense]
jansson: 2.11 [pfSense]
hyperscan: 4.6.0 [pfSense]
hiredis: 0.13.3 [pfSense]
barnyard2: 1.13_1 [pfSense]
broccoli: 1.97,1 [pfSense]

Number of packages to be installed: 13

The process will require 37 MiB more space.
[1/13] Installing nspr-4.20...
[1/13] Extracting nspr-4.20: .......... done
[2/13] Installing libyaml-0.1.6_2...
[2/13] Extracting libyaml-0.1.6_2: ......... done
[3/13] Installing nss-3.39...
[3/13] Extracting nss-3.39: .......... done
[4/13] Installing libpcap-1.8.1...
[4/13] Extracting libpcap-1.8.1: .......... done
[5/13] Installing libnet-1.1.6_5,1...
[5/13] Extracting libnet-1.1.6_5,1: .......... done
[6/13] Installing py27-yaml-5.1...
[6/13] Extracting py27-yaml-5.1: .......... done
[7/13] Installing jansson-2.11...
[7/13] Extracting jansson-2.11: .......... done
[8/13] Installing hyperscan-4.6.0...
[8/13] Extracting hyperscan-4.6.0: .......... done
[9/13] Installing hiredis-0.13.3...
[9/13] Extracting hiredis-0.13.3: .......... done
[10/13] Installing broccoli-1.97,1...
[10/13] Extracting broccoli-1.97,1: .......... done
[11/13] Installing suricata-4.1.6...
[11/13] Extracting suricata-4.1.6: .......... done
[12/13] Installing barnyard2-1.13_1...
[12/13] Extracting barnyard2-1.13_1: ...... done
[13/13] Installing pfSense-pkg-suricata-4.1.6_3...
[13/13] Extracting pfSense-pkg-suricata-4.1.6_3: .......... done
Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Message from suricata-4.1.6:

===========================================================================

If you want to run Suricata in IDS mode, add to /etc/rc.conf:

suricata_enable="YES"
suricata_interface="<if>"

NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.

However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
add to /etc/rc.conf:

suricata_enable="YES"
suricata_divertport="8000"

NOTE:
Suricata won't start in IDS mode without an interface configured.
Therefore if you omit suricata_interface from rc.conf, FreeBSD's
rc.d/suricata will automatically try to start Suricata in IPS Mode
(on divert port 8000, by default).

Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
netmap(4) mode, add to /etc/rc.conf:

suricata_enable="YES"
suricata_netmap="YES"

NOTE:
Suricata requires additional interface settings in the configuration
file to run in netmap(4) mode.

RULES: Suricata IDS/IPS Engine comes without rules by default. You should
add rules by yourself and set an updating strategy. To do so, please visit:

http://www.openinfosecfoundation.org/documentation/rules.html
http://www.openinfosecfoundation.org/documentation/emerging-threats.html

You may want to try BPF in zerocopy mode to test performance improvements:

sysctl -w net.bpf.zerocopy_enable=1

Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf

===========================================================================
Message from barnyard2-1.13_1:

Read the notes in the barnyard2.conf file for how to configure
/usr/local/etc/barnyard2.conf after installation. For addtional information
see the Securixlive FAQ at http://www.securixlive.com/barnyard2/faq.php.

In order to enable barnyard2 to start on boot, you must edit /etc/rc.conf
with the appropriate flags, etc. See the FreeBSD Handbook for syntax:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-rcng.html

For the various options available, type % barnyard2 -h after install or read
the options in the startup script - in /usr/local/etc/rc.d.

Barnyard2 can process unified2 files from snort or suricata. It can also
interact with snortsam firewall rules as well as the sguil-sensor. Those
ports must be installed separately if you wish to use them.

Cleaning up cache... done.
Success

Your last point is clear and I always followed the procedure.

kiokoman · Feb 14, 2020, 2:28 PM

what if you try to go to https://pfSense.localhost/suricata/suricata_interfaces.php
?

bmeeks · Feb 14, 2020, 2:37 PM

@defender110 said in Suricata not visible in menu:

Executing custom_php_install_command()...

I assume this is a green field install of Suricata (as in you have never configured Suricata on this box before)? If that is not the case, then there should be more output after the line above in the package installation status window. If this is a green field install, then the status window output looks normal.

And you are looking under SERVICES in the pfSense menu and you do not see Suricata as a choice? Is that correct?

To see if the actual GUI package files installed, you can browse the file system under DIAGNOSTICS > EDIT and then look for files in these two paths:

/usr/local/pkg/suricata
/usr/local/www/suricata

~~Under the SERVICES menu, can you see the last Wake-on-LAN option? Perhaps on your device's web browser the SERVICES menu is being truncated ???~~ Edit: never mind, just noticed the menu in your earlier screencap post.

I'm rapidly running out of ideas to investigate.

defender110 · Feb 14, 2020, 2:28 PM

@kiokoman Nothing at all. Blank page. :-(

bmeeks · Feb 14, 2020, 2:39 PM

Are you by chance using a RAM disk configuration? If so, make sure it is large enough to support downloading and unzipping all the required files.

defender110 · Feb 14, 2020, 2:47 PM

@bmeeks Thanks for all your great ideas. I don't think it helped though. I attached 2 screenshots of the links you provided. the files seem to be there.
The other 2 screenshots are when i uninstalled again and installed. Think I am doing it correctly.
Also kind of out of ideas. I also run another pfSense on a HP T620 (thisone is a HP T730), and it appears and works without any issue.

defender110 · Feb 14, 2020, 2:53 PM

@bmeeks Well...no. Not at the moment. Even though I think I should, as I am running it on a SSD.
I had toyed with this, but I kept running out of space on /var/run after 4-5-6 days, even when I set the max size to 200. I am not sure why. It started at maybe 10% and over the days filled up.
I have not tackeled that issue yet.

bmeeks · Feb 14, 2020, 2:53 PM

Well, putting the option under the SERVICES menu is done by the core pfSense code and not the Suricata package itself. The package is getting installed, but the final step done by the pfSense package manager code is to write the SERVICES menu entry. That is obviously not happening.

I really have no idea why at this point.

bmeeks · Feb 14, 2020, 2:55 PM

@defender110 said in Suricata not visible in menu:

@bmeeks Well...no. Not at the moment. Even though I think I should, as I am running it on a SSD.
I had toyed with this, but I kept running out of space on /var/run after 4-5-6 days, even when I set the max size to 200. I am not sure why. It started at maybe 10% and over the days filled up.
I have not tackeled that issue yet.

I asked about the RAM disk because it is generally a very bad idea, especially for packages. So you DO NOT want to use a RAM disk. I was asking just in case you might have been using one. They are bad for precisely the issue you stated -- you run out of space unexpectedly and weird things then happen in the applications.

defender110 · Feb 14, 2020, 2:56 PM

@bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
Thanks loads!

bmeeks · Feb 14, 2020, 2:57 PM

@defender110 said in Suricata not visible in menu:

@bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
Thanks loads!

Modern SSDs don't have the issues with frequent writes that the first generation SSDs had.

defender110 · Feb 14, 2020, 2:59 PM

@bmeeks Right. I guess I am out of luck then. Will have to deal with Snort in this case, because that actually installs just fine.
Thanks for the help though!

bmeeks · Feb 14, 2020, 3:02 PM

My only remaining theory at this point is that something is maybe weird in the config.xml on this problem machine. The SERVICES menu is populated from information contained in a section of the config.xml file.

Look through it (in /conf) to see if the formatting appears good. It is a standard XML file. It's got to be something specific to this machine since it works for you on another machine. You would expect package or pfSense bugs to show up on both machines.

tim_co · Jun 23, 2020, 10:04 PM

I've spent the last 24 hours working a very similar problem. I'm sleep deprived so sorry if this is rambling...

I was trying to restore an encrypted backup from/to 2.4.5-RELEASE-p1. Every time I'd do a restore, the "reinstalling packages in the background..." message would hang. Eventually I'd have a system that appeared to be running normally but "Suricata" was not showing in the Services menu or in the "Service Status" widget. It was showing as an installed package. The system logs showed the WatchDog service was repeatedly trying to restart Suricata and failing. And the message that packages were installing in the background would only go away if forced.

I'd go through the whole clear key, reinstall packages process. I tried restoring to fresh installs of 2.4.5-RELEASE-p1, I tried restoring older backups, more recent backups. Always the same result. I tried manually removing and reinstalling every installed package.

In addition to Suricata acting wacky, sometimes DarkStat, pfBlockerNG, and nut would freak out. By killing locked processes, I'd eventually be able to get everything back with the exception of Suricata which always ended up in the same state described above.

It wasn't until I stumbled across this post and saw the suggestion to try accessing the settings via the URL below.

https://pfSense.localhost/suricata/suricata_interfaces.php

I was able to access the settings and noticed that none of the "INSTALLED RULE SET MD5 SIGNATURES" had downloaded. When I forced the download, the Suricata package reinstall went a step further than it did before but still without any errors. This reminded me of seeing a MaxMind download error on the console or in the logs during one of many re-installs last night. I checked the restored "GeoLite2 DB License Key" and it was still showing my older style (more characters) MaxMind key from before the recent requirement to "register for a free MaxMind user account." When I replaced the older key with my new shorter "GeoLite2 DB License Key", I was able to remove and reinstall the Suricata package on the first try.

For the record, the DarkStat service was also acting really weird. When I finally got things to work, I'd also just removed DarkStat without a reinstall. Maybe unrelated but worth noting.

Anyway, I thought this nugget of information might identify a bug in the backup and restore of Suri and/or help someone else with the problem.

Now I sleep.

Regards - Tim