Suricata service is not starting

chofmeister

Suricata service is not starting.
Was checking our pfsense suricata service on our firewall and saw it not running and was not able to start it.
Check the suricata.log log files and see this in the logs posted below.

13/6/2020 -- 14:08:00 - <Error> -- [ERRCODE:
SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - Hit the address buffer limit for the
supplied address. Invalidating sig. Please file a bug report on this.
13/6/2020 -- 14:08:00 - <Error> -- [ERRCODE:
SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var
"HOME_NET" with value

(not going to show the ip's listed)

Also at the bottom of the log shows this.

13/6/2020 -- 14:08:00 - <Error> -- [ERRCODE:
SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please
check /usr/local/etc/suricata/suricata_suricata_vtnet1/suricata.yaml for errors

This is running the latest suricata as of this posting version 5.0.2_2 and was upgraded recently from version 4 something.

bmeeks

I can't tell what exactly since you censored the content of the HOME_NET variable, but something is corrupt in there. And that value is populated with information pulled from the firewall's config.xml file and by making pfSense system calls to obtain certain information such as default gateway, DNS servers, interface IPs, etc,.

Something in your system's setup is now borked and that is causing an improper HOME_NET variable to be constructed and written to the suricata.yaml configuration file for the interface.

Have you made any kind of change to pfSense recently? When was the last time you know Suricata was working, and what (if anything) was changed on the firewall between then and now? That's where I would start my investigation.