Suricata found disabled
-
I have noticed that mt suricata service keep deactivating. and I must reboot my netgate 1100 to start the service. I am one pfsense version 22.05 and my rules are aup to date has anyone experienced this. if so, what was done to resolve the issue?
-
Are you updated to the latest version of the Suricata package? What specific version of Suricata is installed?
Have you examined the
suricata.log
file for the interface? You can access it under LOGS VIEW, choosing the correct interface in the drop-down, and then choosing thesuricata.log
for viewing in the log files drop-down. Posting the contents of that log would be helpful.Examine the pfSense system log to see if anything related to Suricata is logged there. If you find anything, post it back here.
-
@cybersec_s said in Suricata found disabled:
I must reboot my netgate 1100
The 1100 has only 1 GB RAM so it could be an out of memory issue.
Only a reboot fixes it? What happens when you press the (>) button to start Suricata?
-
@steveits Thanks for your reply. I figured out my issue. I'm using my device in transparant mode and had it configured incorrectly. I have the WAN and LAN ports bridged and also had IP's on both ports. once I removed the IP's and placed one on the Bridge(for local gui access) the service stayed active asfter a reboot.
-
@cybersec_s said in Suricata found disabled:
@steveits Thanks for your reply. I figured out my issue. I'm using my device in transparant mode and had it configured incorrectly. I have the WAN and LAN ports bridged and also had IP's on both ports. once I removed the IP's and placed one on the Bridge(for local gui access) the service stayed active asfter a reboot.
Be warned that Suricata (or Snort) does not like bridged interfaces. The service may start, but actual performance there may be questionable. Officially from upstream, off-norm interfaces such as bridges, LAGGs, etc., are not supported by Suricata.