Suricata not visible in menu



  • Hi All!
    I am fairly new in the game and I am having trouble with Suricata. The package is installed, but it is not visible anywhere in the menue. I tried deinstalling and installing it again...unfortunately no difference.
    Snort will install and is visible once installed, but I prefer to go with Suricata because of the multi-core support.
    Is there any trick or is this a known issue?
    Thanks for your advice!
    Marco



  • I have not seen that. Are you on the latest pfSense version?



  • @teamits Yes, I am. I attached you some screenshots. Its supposed to show up under services, right?
    At least thats where Snort is when its installed.

    1.jpg 2.jpg 3.jpg



  • Yes it shows under Services. Did you try logging out, empty browser cache, etc.? Normally it's immediately visible. Perhaps temporarily uncheck the option to save Suricata configuration on uninstall, then uninstall and reinstall?



  • If it's not visible under SERVICES, then the package did not complete installation. You need to examine the pfSense system log to see if anything helpful is printed there. You also need to carefully read and pay attention to any and all messages printed to the status window while the package is installing.

    Most likely something is bombing with the download of a rules tarball. But you will need to review the status window of the package installation screen and the pfSense system log to see what clues are there. Post back here with your findings.

    And this, hopefully, goes without needing to be said. Do not navigate away from the package installation screen until you see the green bar and status message indicating the installation is complete and succeeded.



  • @teamits I tried different browsers on different PCs. No difference.
    Where do I find the option to delete the Suricata data? Could not find it when uninstalling and reinstalling.



  • @bmeeks Thank you. I followed your advice. Unfortunately no success yet. I post the log...maybe you will be able to tell more from this?

    >>> Installing pfSense-pkg-suricata...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 13 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    pfSense-pkg-suricata: 4.1.6_3 [pfSense]
    suricata: 4.1.6 [pfSense]
    libyaml: 0.1.6_2 [pfSense]
    nss: 3.39 [pfSense]
    nspr: 4.20 [pfSense]
    libpcap: 1.8.1 [pfSense]
    libnet: 1.1.6_5,1 [pfSense]
    py27-yaml: 5.1 [pfSense]
    jansson: 2.11 [pfSense]
    hyperscan: 4.6.0 [pfSense]
    hiredis: 0.13.3 [pfSense]
    barnyard2: 1.13_1 [pfSense]
    broccoli: 1.97,1 [pfSense]

    Number of packages to be installed: 13

    The process will require 37 MiB more space.
    [1/13] Installing nspr-4.20...
    [1/13] Extracting nspr-4.20: .......... done
    [2/13] Installing libyaml-0.1.6_2...
    [2/13] Extracting libyaml-0.1.6_2: ......... done
    [3/13] Installing nss-3.39...
    [3/13] Extracting nss-3.39: .......... done
    [4/13] Installing libpcap-1.8.1...
    [4/13] Extracting libpcap-1.8.1: .......... done
    [5/13] Installing libnet-1.1.6_5,1...
    [5/13] Extracting libnet-1.1.6_5,1: .......... done
    [6/13] Installing py27-yaml-5.1...
    [6/13] Extracting py27-yaml-5.1: .......... done
    [7/13] Installing jansson-2.11...
    [7/13] Extracting jansson-2.11: .......... done
    [8/13] Installing hyperscan-4.6.0...
    [8/13] Extracting hyperscan-4.6.0: .......... done
    [9/13] Installing hiredis-0.13.3...
    [9/13] Extracting hiredis-0.13.3: .......... done
    [10/13] Installing broccoli-1.97,1...
    [10/13] Extracting broccoli-1.97,1: .......... done
    [11/13] Installing suricata-4.1.6...
    [11/13] Extracting suricata-4.1.6: .......... done
    [12/13] Installing barnyard2-1.13_1...
    [12/13] Extracting barnyard2-1.13_1: ...... done
    [13/13] Installing pfSense-pkg-suricata-4.1.6_3...
    [13/13] Extracting pfSense-pkg-suricata-4.1.6_3: .......... done
    Saving updated package information...
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Message from suricata-4.1.6:

    ===========================================================================

    If you want to run Suricata in IDS mode, add to /etc/rc.conf:

    suricata_enable="YES"
    suricata_interface="<if>"
    

    NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.

    However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
    add to /etc/rc.conf:

    suricata_enable="YES"
    suricata_divertport="8000"
    

    NOTE:
    Suricata won't start in IDS mode without an interface configured.
    Therefore if you omit suricata_interface from rc.conf, FreeBSD's
    rc.d/suricata will automatically try to start Suricata in IPS Mode
    (on divert port 8000, by default).

    Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
    netmap(4) mode, add to /etc/rc.conf:

    suricata_enable="YES"
    suricata_netmap="YES"
    

    NOTE:
    Suricata requires additional interface settings in the configuration
    file to run in netmap(4) mode.

    RULES: Suricata IDS/IPS Engine comes without rules by default. You should
    add rules by yourself and set an updating strategy. To do so, please visit:

    http://www.openinfosecfoundation.org/documentation/rules.html
    http://www.openinfosecfoundation.org/documentation/emerging-threats.html

    You may want to try BPF in zerocopy mode to test performance improvements:

    sysctl -w net.bpf.zerocopy_enable=1
    

    Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf

    ===========================================================================
    Message from barnyard2-1.13_1:

    Read the notes in the barnyard2.conf file for how to configure
    /usr/local/etc/barnyard2.conf after installation. For addtional information
    see the Securixlive FAQ at http://www.securixlive.com/barnyard2/faq.php.

    In order to enable barnyard2 to start on boot, you must edit /etc/rc.conf
    with the appropriate flags, etc. See the FreeBSD Handbook for syntax:
    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-rcng.html

    For the various options available, type % barnyard2 -h after install or read
    the options in the startup script - in /usr/local/etc/rc.d.

    Barnyard2 can process unified2 files from snort or suricata. It can also
    interact with snortsam firewall rules as well as the sguil-sensor. Those
    ports must be installed separately if you wish to use them.


    Cleaning up cache... done.
    Success

    Your last point is clear and I always followed the procedure.


  • LAYER 8



  • @defender110 said in Suricata not visible in menu:

    Executing custom_php_install_command()...

    I assume this is a green field install of Suricata (as in you have never configured Suricata on this box before)? If that is not the case, then there should be more output after the line above in the package installation status window. If this is a green field install, then the status window output looks normal.

    And you are looking under SERVICES in the pfSense menu and you do not see Suricata as a choice? Is that correct?

    To see if the actual GUI package files installed, you can browse the file system under DIAGNOSTICS > EDIT and then look for files in these two paths:

    /usr/local/pkg/suricata
    /usr/local/www/suricata

    Under the SERVICES menu, can you see the last Wake-on-LAN option? Perhaps on your device's web browser the SERVICES menu is being truncated ??? Edit: never mind, just noticed the menu in your earlier screencap post.

    I'm rapidly running out of ideas to investigate.



  • @kiokoman Nothing at all. Blank page. :-(



  • Are you by chance using a RAM disk configuration? If so, make sure it is large enough to support downloading and unzipping all the required files.



  • @bmeeks Thanks for all your great ideas. I don't think it helped though. I attached 2 screenshots of the links you provided. the files seem to be there.
    The other 2 screenshots are when i uninstalled again and installed. Think I am doing it correctly.
    Also kind of out of ideas. I also run another pfSense on a HP T620 (thisone is a HP T730), and it appears and works without any issue.

    1.jpg

    2.jpg

    uninstall.jpg

    install.jpg



  • @bmeeks Well...no. Not at the moment. Even though I think I should, as I am running it on a SSD.
    I had toyed with this, but I kept running out of space on /var/run after 4-5-6 days, even when I set the max size to 200. I am not sure why. It started at maybe 10% and over the days filled up.
    I have not tackeled that issue yet.



  • Well, putting the option under the SERVICES menu is done by the core pfSense code and not the Suricata package itself. The package is getting installed, but the final step done by the pfSense package manager code is to write the SERVICES menu entry. That is obviously not happening.

    I really have no idea why at this point.



  • @defender110 said in Suricata not visible in menu:

    @bmeeks Well...no. Not at the moment. Even though I think I should, as I am running it on a SSD.
    I had toyed with this, but I kept running out of space on /var/run after 4-5-6 days, even when I set the max size to 200. I am not sure why. It started at maybe 10% and over the days filled up.
    I have not tackeled that issue yet.

    I asked about the RAM disk because it is generally a very bad idea, especially for packages. So you DO NOT want to use a RAM disk. I was asking just in case you might have been using one. They are bad for precisely the issue you stated -- you run out of space unexpectedly and weird things then happen in the applications.



  • @bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
    Thanks loads!



  • @defender110 said in Suricata not visible in menu:

    @bmeeks Ok. Clear! I was not aware of that. I thought with an SSD its beneficial to do. But in this case I will simply leave it as it is. I am not logging a lot, so i think the write access is not to crazy.
    Thanks loads!

    Modern SSDs don't have the issues with frequent writes that the first generation SSDs had.



  • @bmeeks Right. I guess I am out of luck then. Will have to deal with Snort in this case, because that actually installs just fine.
    Thanks for the help though!



  • My only remaining theory at this point is that something is maybe weird in the config.xml on this problem machine. The SERVICES menu is populated from information contained in a section of the config.xml file.

    Look through it (in /conf) to see if the formatting appears good. It is a standard XML file. It's got to be something specific to this machine since it works for you on another machine. You would expect package or pfSense bugs to show up on both machines.


Log in to reply