Stopping Snort/Suricata at Boot Time

  • Wanting to try out Suricata, I removed Snort yesterday and installed and configured Suricata next. After adding an interface and enabling inline mode on it, everything appeared fine at first after starting it, but a few seconds later I lost all connectivity. Rebooted the firewall and after boot up completed things were fine for maybe 30 - 60 seconds and then the console started filling up with a repeating stream of Netmap errors, leading me to lose all connectivity again. I was a bit surprised by this since the primary NIC I'm using (Chelsio) does support Netmap natively. Ultimately I decided to just reset the firewall and restore a previous backup. Everything is fine now but I wanted to ask if there is a way to manually stop or disable Suricata / Snort at boot time so I can disable the interface before it tries to start and all connectivity is lost again? I would like to get to the bottom of the Netmap errors I saw, but I don't like the prospect of potentially having to restore a backup each time if I run into errors again. Thanks in advance!

  • No, if you have the package installed and one or more interfaces with Enabled checked on the INTERFACE SETTINGS tab, then the system will attempt to start the services at boot. The only way to prevent that is to go to the INTERFACES tab, select a Suricata or Snort interface, and then edit it. On the INTERFACE SETTINGS tab uncheck the Enable checkbox to disable that interface. That will prevent it from starting on future boots. Of course you can delete the entire Suricata or Snort instance on the interface as well using the Delete icon.

Log in to reply