Trying to diagnose non starting packages



  • Hi

    I have just installed PFsense and in the process of setting it up.
    However when I went to install additional packages (Suricata) they wont start at all (I have tried other as a test and non of them start).
    I don't get any error messages and I have looked in the system logs, however being new to this I have had no luck.

    I would greatly appreciate any help I can get trying to diagnose this problem. I will put all the information I have and the system specs underneath.

    Many Thanks TTWE

    Version 2.4.5-RELEASE (amd64)
    built on Tue Mar 24 15:25:50 EDT 2020
    FreeBSD 11.3-STABLE

    CPU Type Intel(R) Xeon(R) CPU E5630 @ 2.53GHz
    16 CPUs: 2 package(s) x 4 core(s) x 2 hardware threads
    AES-NI CPU Crypto: Yes (inactive)
    Memory 64 GB 1% average use.

    suricata security 5.0.2_2 High Performance Network IDS, IPS and Security Monitoring engine by OISF.



  • @TTWE You may find the solution here: https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html ... hint: search the forum on Suricata and multi-core CPU. Congratulations on choosing pfSense and welcome to a learning process where no one wants to hold your hands while you learn.



  • @TTWE said in Trying to diagnose non starting packages:

    Hi

    I have just installed PFsense and in the process of setting it up.
    However when I went to install additional packages (Suricata) they wont start at all (I have tried other as a test and non of them start).
    I don't get any error messages and I have looked in the system logs, however being new to this I have had no luck.

    I would greatly appreciate any help I can get trying to diagnose this problem. I will put all the information I have and the system specs underneath.

    Many Thanks TTWE

    Version 2.4.5-RELEASE (amd64)
    built on Tue Mar 24 15:25:50 EDT 2020
    FreeBSD 11.3-STABLE

    CPU Type Intel(R) Xeon(R) CPU E5630 @ 2.53GHz
    16 CPUs: 2 package(s) x 4 core(s) x 2 hardware threads
    AES-NI CPU Crypto: Yes (inactive)
    Memory 64 GB 1% average use.

    suricata security 5.0.2_2 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

    You can find out why Suricata is not starting by going to the LOGS VIEW tab, selecting the interface you want to view logs for in the Interface drop-down selector, and then choosing the suricata.log file in the log file drop-down selector.

    I can pretty much guarantee you that your problem is going to me a memory allocation error due to an insufficient TCP Stream Memcap setting. For high core-count boxes you need to dramatically increase the stream memcap value on the Flow/Stream tab. Try 256 MB and then work up there since you have so many CPUs and cores.

    Here is a link to the Suricata upstream Redmine site where they have a project underway to improve the OOBE (out-of-box experience) by improving some default values: https://redmine.openinfosecfoundation.org/issues/1343. Once they incorporate those into Suricata, I will make some updates to the pfSense package. But in order to not create a memory hog on smaller systems, I may not use values quite as large as mentioned in that thread.

    The current default in the pfSense package is fine for dual or quad-core CPUs, but is not enough for high core-count boxes like you have.


Log in to reply