Suricata Menu Missing Help!



  • I have installed Suricata on my pfSense box and for some reason the Suricata menu under services is not showing up. This is a fresh install and i had the same issue with Snort until i uninstalled it and reinstalled it, I have tried this with Suricata multiple times and to no avail the menu option is not showing up, i cannot see the service either for some reason but if i goto the menu manually at

    /suricata/suricata_interfaces.php

    I can see the configuration, after attempting to set it up on WAN0 and start the service it does not start.

    I have looked through the config.xml and suricata seems to be missing there, i can post if necessary.

    I really would like to get starting working with Suricata but not sure whats going wrong here. I am pretty linux saavy for 25 years now but dont have any experience with pfSense.

    Also, the rulesets seem to be downloading and installing fine and Snort is up and running fine also (not sure how intertwined these 2 services are).

    The suricata services are under /usr/local/bin also like they are supposed to be so it clearly looks like it is installing on the server.

    I am running a Dell Poweredge R720 for the pfSense box and just updated when the new update came out to 2.4.5-RELEASE-p1. Not sure if Suricata worked before that, since i have not tried it until now. Everything else on the firewall is running fine, no issues that i can see.

    Update: Version of Suricata running
    suricata security 5.0.2_3 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

    Package Dependencies:
    suricata-5.0.2_1  barnyard2-1.13_5

    Any help is appreciated
    Thanks
    Chris Fox



  • Copy of suricata.log file

    code_text
    ```1/7/2020 -- 13:01:33 - <Notice> -- This is Suricata version 5.0.2 RELEASE running in SYSTEM mode
    1/7/2020 -- 13:01:33 - <Info> -- CPUs/cores online: 32
    1/7/2020 -- 13:01:33 - <Info> -- HTTP memcap: 67108864
    1/7/2020 -- 13:01:33 - <Notice> -- using flow hash instead of active packets
    1/7/2020 -- 13:01:33 - <Info> -- fast output device (regular) initialized: alerts.log
    1/7/2020 -- 13:01:33 - <Info> -- http-log output device (regular) initialized: http.log
    1/7/2020 -- 13:01:33 - <Info> -- stats output device (regular) initialized: stats.log
    1/7/2020 -- 13:01:33 - <Info> -- 1 rule files processed. 299 rules successfully loaded, 0 rules failed
    1/7/2020 -- 13:01:33 - <Info> -- Threshold config parsed: 0 rule(s) found
    1/7/2020 -- 13:01:33 - <Info> -- 299 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 128 inspect application layer, 103 are decoder event only
    1/7/2020 -- 13:01:33 - <Info> -- Using 1 live device(s).
    1/7/2020 -- 13:01:33 - <Info> -- using interface igb0
    1/7/2020 -- 13:01:33 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
    1/7/2020 -- 13:01:33 - <Info> -- Set snaplen to 1518 for 'igb0'
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Info> -- RunModeIdsPcapAutoFp initialised
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
    
    

    code_text



  • Install Log File

    °Installing pfSense-pkg-suricata... 
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 8 package(s) will be affected (of 0 checked):
    
    New packages to be INSTALLED:
    	hiredis: 0.13.3 [pfSense]
    	hyperscan: 4.7.0_3 [pfSense]
    	libyaml: 0.2.2 [pfSense]
    	nspr: 4.25 [pfSense]
    	nss: 3.51 [pfSense]
    	pfSense-pkg-suricata: 5.0.2_3 [pfSense]
    	py37-yaml: 5.3.1 [pfSense]
    	suricata: 5.0.2_1 [pfSense]
    
    Number of packages to be installed: 8
    
    The process will require 36 MiB more space.
    [1/8] Installing nspr-4.25...
    [1/8] Extracting nspr-4.25: .......... done
    [2/8] Installing libyaml-0.2.2...
    [2/8] Extracting libyaml-0.2.2: ......... done
    [3/8] Installing nss-3.51...
    [3/8] Extracting nss-3.51: .......... done
    [4/8] Installing py37-yaml-5.3.1...
    [4/8] Extracting py37-yaml-5.3.1: .......... done
    [5/8] Installing hyperscan-4.7.0_3...
    [5/8] Extracting hyperscan-4.7.0_3: .......... done
    [6/8] Installing hiredis-0.13.3...
    [6/8] Extracting hiredis-0.13.3: .......... done
    [7/8] Installing suricata-5.0.2_1...
    [7/8] Extracting suricata-5.0.2_1: .......... done
    [8/8] Installing pfSense-pkg-suricata-5.0.2_3...
    [8/8] Extracting pfSense-pkg-suricata-5.0.2_3: .......... done
    Saving updated package information...
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...=====
    Message from suricata-5.0.2_1:
    
    --
    If you want to run Suricata in IDS mode, add to /etc/rc.conf:
    
    	suricata_enable="YES"
    	suricata_interface="<if>"
    
    NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.
    
    However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
    add to /etc/rc.conf:
    
    	suricata_enable="YES"
    	suricata_divertport="8000"
    
    NOTE:
    	Suricata won't start in IDS mode without an interface configured.
    	Therefore if you omit suricata_interface from rc.conf, FreeBSD's
    	rc.d/suricata will automatically try to start Suricata in IPS Mode
    	(on divert port 8000, by default).
    
    Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
    netmap(4) mode, add to /etc/rc.conf:
    
    	suricata_enable="YES"
    	suricata_netmap="YES"
    
    NOTE:
    	Suricata requires additional interface settings in the configuration
    	file to run in netmap(4) mode.
    
    RULES: Suricata IDS/IPS Engine comes without rules by default. You should
    add rules by yourself and set an updating strategy. To do so, please visit:
    
     http://www.openinfosecfoundation.org/documentation/rules.html
     http://www.openinfosecfoundation.org/documentation/emerging-threats.html
    
    You may want to try BPF in zerocopy mode to test performance improvements:
    
    	sysctl -w net.bpf.zerocopy_enable=1
    
    Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
    >>> Cleaning up cache... done.
    Success
    


  • System Log File

    Jul 1 13:44:49	php		[Suricata] Suricata START for WAN(igb0)...
    Jul 1 13:44:49	php		[Suricata] Building new sid-msg.map file for WAN...
    Jul 1 13:44:48	php		[Suricata] Updating rules configuration for: WAN ...
    Jul 1 13:44:47	php-fpm	19575	Starting Suricata on WAN(igb0) per user request...
    Jul 1 13:41:14	php		[Suricata] The Rules update has finished.
    Jul 1 13:41:14	php		[Suricata] Snort GPLv2 Community Rules are up to date...
    Jul 1 13:41:13	php		[Suricata] Emerging Threats Open rules are up to date...
    Jul 1 13:25:11	php		[Suricata] The Rules update has finished.
    Jul 1 13:25:11	php		[Suricata] Building new sid-msg.map file for WAN...
    Jul 1 13:25:10	php		[Suricata] Updating rules configuration for: WAN ...
    Jul 1 13:25:10	php		[Suricata] Snort GPLv2 Community Rules file update downloaded successfully.
    Jul 1 13:25:09	php		[Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Jul 1 13:25:08	php		[Suricata] Emerging Threats Open rules file update downloaded successfully.
    Jul 1 13:25:07	php		[Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    Jul 1 13:24:04	pkg-static		pfSense-pkg-suricata-5.0.2_3 installed
    Jul 1 13:24:04	php		[Suricata] ERROR: GeoLite2-Country IP database update check failed. The GeoIP database was not updated!
    Jul 1 13:24:04	php		[Suricata] ALERT: The Account ID or License Key for MaxMind GeoLite2 is invalid.
    Jul 1 13:24:03	php		[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
    Jul 1 13:24:03	php		[Suricata] Installing free GeoLite2 country IP database file in /usr/local/share/suricata/GeoLite2/...
    Jul 1 13:24:03	php		/etc/rc.packages: Beginning package installation for suricata .
    Jul 1 13:24:03	pkg-static		suricata-5.0.2_1 installed
    Jul 1 13:23:33	pkg-static		suricata-5.0.2_1 deinstalled
    Jul 1 13:23:33	pkg-static		pfSense-pkg-suricata-5.0.2_3 deinstalled
    Jul 1 13:23:30	php		[Suricata] Suricata package uninstall in progress...
    


  • @chrisfox75 said in Suricata Menu Missing Help!:

    I have installed Suricata on my pfSense box and for some reason the Suricata menu under services is not showing up. This is a fresh install and i had the same issue with Snort until i uninstalled it and reinstalled it, I have tried this with Suricata multiple times and to no avail the menu option is not showing up, i cannot see the service either for some reason but if i goto the menu manually at

    /suricata/suricata_interfaces.php

    I can see the configuration, after attempting to set it up on WAN0 and start the service it does not start.

    I have looked through the config.xml and suricata seems to be missing there, i can post if necessary.

    I really would like to get starting working with Suricata but not sure whats going wrong here. I am pretty linux saavy for 25 years now but dont have any experience with pfSense.

    Also, the rulesets seem to be downloading and installing fine and Snort is up and running fine also (not sure how intertwined these 2 services are).

    The suricata services are under /usr/local/bin also like they are supposed to be so it clearly looks like it is installing on the server.

    I am running a Dell Poweredge R720 for the pfSense box and just updated when the new update came out to 2.4.5-RELEASE-p1. Not sure if Suricata worked before that, since i have not tried it until now. Everything else on the firewall is running fine, no issues that i can see.

    Update: Version of Suricata running
    suricata security 5.0.2_3 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

    Package Dependencies:
    suricata-5.0.2_1  barnyard2-1.13_5

    Any help is appreciated
    Thanks
    Chris Fox

    You have two different problems. I'll tackle the failure to start from the INTERFACES screen first.

    1. Suricata is failing to start because the TCP stream memcap parameter is too small for your CPU core count. The default value is 64 MB. That is sufficient for most users with dual-core or even quad-core CPUs. However, higher core-count processors will need significantly more than the 64 MB default value. This parameter is on the FLOW/STREAM tab. You can tell what the problem is by looking at these error lines from the suricata.log file you posted for the interface:
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    1/7/2020 -- 13:01:34 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    1
    
    1. Suricata failing to show up under the SERVICES menu is something else. Usually that indicates that something during the installation process did not complete properly. The pkg utility is in charge of that, though. It might be that the pkg utility is getting confused by this:
    Jul 1 13:24:04	php		[Suricata] ERROR: GeoLite2-Country IP database update check failed. The GeoIP database was not updated!
    Jul 1 13:24:04	php		[Suricata] ALERT: The Account ID or License Key for MaxMind GeoLite2 is invalid.
    Jul 1 13:24:03	php		[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
    Jul 1 13:24:03	php		[Suricata] Installing free GeoLite2 country IP database file in /usr/local/share/suricata/GeoLite2/...
    

    Those lines are from the GeoIP database update. Did you have a previous Suricata installlation at some time on this machine? Looks like the GeoIP database download option is enabled but no proper MaxMind key is available. Thus the download attempt is failing. That will not stop Suricata from working, but it might be fooling the pkg utility and causing it to not finish the last install step which is writing the configuration to the config.xml file.



  • @bmeeks said in Suricata Menu Missing Help!:

    GeoIP database update.

    So if i fix the TCP stream memcap that might let it Suricata start properly? I will try this to get it started.

    Whats weird is the GeoIP database update is working fine now, if you look later in the log file it is updating fine, does that run when the package is installed? So i am questioning if that is why the menu item isnt showing up. So its updating properly i wouldnt see how it would update when the package is installed but i may be wrong.

    Any other suggestions on the menu option? I will let you know my results with Suricata starting up.

    Thanks for the help!!
    Chris



  • @chrisfox75 said in Suricata Menu Missing Help!:

    @bmeeks said in Suricata Menu Missing Help!:

    GeoIP database update.

    So if i fix the TCP stream memcap that might let it Suricata start properly? I will try this to get it started.

    Whats weird is the GeoIP database update is working fine now, if you look later in the log file it is updating fine, does that run when the package is installed? So i am questioning if that is why the menu item isnt showing up. So its updating properly i wouldnt see how it would update when the package is installed but i may be wrong.

    Any other suggestions on the menu option? I will let you know my results with Suricata starting up.

    Thanks for the help!!
    Chris

    Increasing the TCP stream memcap parameter to something like 128 MB or even 256 MB should let Suricata start properly. Just start bumping up the value in 32 MB chunks until it starts.

    The GeoIP database is downloaded during the install process, but ONLY if that option was enabled on the GLOBAL SETTINGS tab and there is a non-null value in the MaxMind database key field (also on the GLOBAL SETTINGS tab). If you had a previous Suricata install on this box in the past, it would have saved a configuration back then. Installing Suricata again later would result in it detecting the old configuration and using the values stored there. As a test, you can go to the GLOBAL SETTINGS tab (it will be visible when you open the manual link you specified earlier) and uncheck the option to use the GeoIP database. And while there, erase anything that might be showing in the License Key fox for MaxMind. Save that change to write it to config.xml.

    After the steps above, you can try removing and installing Suricata again to see if it shows up under the SERVICES menu.



  • @bmeeks said in Suricata Menu Missing Help!:

    downloaded during the install process, but ONLY if that option was enabled on the GLOBAL SETTINGS tab and there is a non-null value in the MaxMin

    Did everything you recommended and reinstalled Suricata and what do you know it appeared on the menu. Jeez, seems like some sort of bug that needs fixed so a noob doesnt have to spend awhile trying to fix it.

    I also upped the tcp memcap, but damn i have it all the way up to 299108864 and it finally started error free. The box only has 128mb of memory.

    After going through all that for some reason i ahve my box configured as a Raid 5 box with 4 - 4tb drives in it and im only seeing 1.9T free on the box, seems a little low for 8tb installed, i know the overhead with Raid 5 system but does freebsd utilize a lot more then i am aware of? I know i might never use all the space in it, just how the box came configured and it was cheaper then any applicance out there since i bought it used but i would think i should see a little more then 1.9TB out of the drive system, and everything is mounted on / i just did the recommended install when i set the box up maybe ill just leave it be since it seems to be running great now.

    Now to dive into snort configuration since i have signed up for a free key just to start and configuring all my VLANs etc.. Me being a checkpoint firewall guy this seems just a robust as checkpoint ever did and cant beat the price..

    Thanks a ton for your help, everything worked out great.

    Chris


Log in to reply