suricata not starting
-
good morning, I have a problem with suri_cata that doesn't start, I tried reinstalling the package and it doesn't work, I tried deleting the pid but it's not obvious because it doesn't run.
Thank you very much if you help me -
@enicolau Need to do a search of this forum with the subject of your post or take a look at the posted message URL below. Just copy it into your favorite browser.
https://forum.netgate.com/topic/152069/suricata-5-0-2-will-not-start-on-pfsense-2-4-5/4?_=1643299917679#:~:text=J-,Suricata%205.0.2%20Will%20Not%20Start%20on%20pfSense%202.4.5,-IDS/IPS
This is a very common issue with first time installations of suricata.
-
@jdeloach Thanks for responding, I had already seen that thread but it didn't solve it, it was working fine until 1/27 but now it doesn't start
-
@enicolau said in suricata not starting:
@jdeloach Thanks for responding, I had already seen that thread but it didn't solve it, it was working fine until 1/27 but now it doesn't start
Look in the
suricata.logfor the interface. You can see it under the LOGS VIEW tab. Suricata is pretty good about logging errors when it does not like something. If you can't figure out the problem, post the content of that log file back here. -
un pequeño fragmento del log
27/1/2022 -- 08:44:25 - <Info> - 2 rule files processed. 24534 rules successfully loaded, 10 rules failed
27/1/2022 -- 08:44:25 - <Info> - Threshold config parsed: 0 rule(s) found
27/1/2022 -- 08:44:25 - <Info> - 24537 signatures processed. 1348 are IP-only rules, 4100 are inspecting packet payload, 18885 inspect application layer, 108 are decoder event only
27/1/2022 -- 08:44:41 - <Info> - Using 1 live device(s).
27/1/2022 -- 08:44:41 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.
27/1/2022 -- 08:44:41 - <Info> - using interface vtnet1
27/1/2022 -- 08:44:41 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
27/1/2022 -- 08:44:41 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:44:41 - <Info> - Set snaplen to 1524 for 'vtnet1'
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax error
27/1/2022 -- 08:44:41 - <Info> - RunModeIdsPcapAutoFp initialised
27/1/2022 -- 08:44:41 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:44:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
27/1/2022 -- 08:46:34 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
27/1/2022 -- 08:46:34 - <Info> - CPUs/cores online: 4
27/1/2022 -- 08:46:34 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:34 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:34 - <Info> - fast output device (regular) initialized: fast.log
27/1/2022 -- 08:46:34 - <Info> - eve-log output device (regular) initialized: eve.json
27/1/2022 -- 08:46:34 - <Info> - stats output device (regular) initialized: stats.log
27/1/2022 -- 08:46:34 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:46:40 - <Info> - 1 rule files processed. 24534 rules successfully loaded, 0 rules failed
27/1/2022 -- 08:46:40 - <Info> - Threshold config parsed: 0 rule(s) found
27/1/2022 -- 08:46:40 - <Info> - 24537 signatures processed. 1348 are IP-only rules, 4100 are inspecting packet payload, 18885 inspect application layer, 108 are decoder event only
27/1/2022 -- 08:46:55 - <Info> - Using 1 live device(s).
27/1/2022 -- 08:46:55 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.
27/1/2022 -- 08:46:55 - <Info> - using interface vtnet1
27/1/2022 -- 08:46:55 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
27/1/2022 -- 08:46:55 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:55 - <Info> - Set snaplen to 1524 for 'vtnet1'
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax error
27/1/2022 -- 08:46:55 - <Info> - RunModeIdsPcapAutoFp initialised
27/1/2022 -- 08:46:55 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:46:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting... -
@enicolau said in suricata not starting:
un pequeño fragmento del log
27/1/2022 -- 08:44:25 - <Info> - 2 rule files processed. 24534 rules successfully loaded, 10 rules failed
27/1/2022 -- 08:44:25 - <Info> - Threshold config parsed: 0 rule(s) found
27/1/2022 -- 08:44:25 - <Info> - 24537 signatures processed. 1348 are IP-only rules, 4100 are inspecting packet payload, 18885 inspect application layer, 108 are decoder event only
27/1/2022 -- 08:44:41 - <Info> - Using 1 live device(s).
27/1/2022 -- 08:44:41 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.
27/1/2022 -- 08:44:41 - <Info> - using interface vtnet1
27/1/2022 -- 08:44:41 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
27/1/2022 -- 08:44:41 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:44:41 - <Info> - Set snaplen to 1524 for 'vtnet1'
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax error
27/1/2022 -- 08:44:41 - <Info> - RunModeIdsPcapAutoFp initialised
27/1/2022 -- 08:44:41 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:44:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
27/1/2022 -- 08:46:34 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
27/1/2022 -- 08:46:34 - <Info> - CPUs/cores online: 4
27/1/2022 -- 08:46:34 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:34 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:34 - <Info> - fast output device (regular) initialized: fast.log
27/1/2022 -- 08:46:34 - <Info> - eve-log output device (regular) initialized: eve.json
27/1/2022 -- 08:46:34 - <Info> - stats output device (regular) initialized: stats.log
27/1/2022 -- 08:46:34 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:46:40 - <Info> - 1 rule files processed. 24534 rules successfully loaded, 0 rules failed
27/1/2022 -- 08:46:40 - <Info> - Threshold config parsed: 0 rule(s) found
27/1/2022 -- 08:46:40 - <Info> - 24537 signatures processed. 1348 are IP-only rules, 4100 are inspecting packet payload, 18885 inspect application layer, 108 are decoder event only
27/1/2022 -- 08:46:55 - <Info> - Using 1 live device(s).
27/1/2022 -- 08:46:55 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.
27/1/2022 -- 08:46:55 - <Info> - using interface vtnet1
27/1/2022 -- 08:46:55 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
27/1/2022 -- 08:46:55 - <Info> - Found an MTU of 1500 for 'vtnet1'
27/1/2022 -- 08:46:55 - <Info> - Set snaplen to 1524 for 'vtnet1'
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax error
27/1/2022 -- 08:46:55 - <Info> - RunModeIdsPcapAutoFp initialised
27/1/2022 -- 08:46:55 - <Info> - Running in live mode, activating unix socket
27/1/2022 -- 08:46:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145
27/1/2022 -- 08:46:55 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...Don't know why exactly, but Suricata is most definitely not liking your
vtnetNIC driver/interface. I see a number of errors related to that device. Some of them are fatal, thus the reason Suricata is not starting.Are you actually attempting to run Suricata on pfSense? I'm asking because I see two things in your log snippet that are not standard on pfSense. One is the issue with BPF (Berkley Packet Filtering), and the other is the UNIX control socket getting used. Those two things are not supported natively in the pfSense GUI used with Suricata. Suricata on pfSense is meant to be managed via the GUI only and not via the command-line. I see in the log options were passed via the command-line.
If you are in fact running Suricata on some other platform, be advised this forum is strictly for discussions about the Suricata package installed and run on the pfSense firewall distro. For Suricata issues on other platforms, you should post on the General Suricata Users Forum here: https://forum.suricata.io/.
-
@bmeeks Thanks for responding, I'm using pfsense, from the gui there is no more data that it doesn't start, there is nothing else, so I start it by ssh but I can't think of much else
-
@enicolau said in suricata not starting:
@bmeeks Thanks for responding, I'm using pfsense, from the gui there is no more data that it doesn't start, there is nothing else, so I start it by ssh but I can't think of much else
I don't think you understand how Suricata works on pfSense. You MUST use the GUI for everything. You CANNOT do things from the command-line -- including starting it by SSH. The
suricata.yamlfile you see in/usr/local/etc/suricatais not the file used by the Suricata processes on pfSense. Each configured instance (in the GUI) has its own unique subdirectory underneath/usr/local/etc/suricata/, and all of the configuration information for that instance resides in the subdirectory. At startup time, thesuricata.yamlfile is created from scratch using information stored by the GUI code in the firewall'sconfig.xmlfile.The errors in the startup log clearly indicate issues with your NIC driver. It is not playing well with Suricata. I have no idea why, but it is not. Notice these two lines:
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145 27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...That SC_ERR_FATAL error is why Suricata is not starting, and that error is ocurring when Suricata attempts to initialize that card.
Your second problem is attempting to run Suricata using the UNIX socket. That is not currently supported on pfSense.
27/1/2022 -- 08:46:55 - <Info> - Running in live mode, activating unix socket 27/1/2022 -- 08:46:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'And you appear to be trying to pass BPF parameters via the command-line based on this line in the startup log:
27/1/2022 -- 08:46:55 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.That option is not supported on pfSense either. And the filter you are providing has a syntax error as evidenced by this line in the log file:
27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax errorHere is a link with instructions for setting up Suricata on pfSense. It may help you understand how to properly do this.
