Suricata unable to initialize

Troutpocket

Found that Suricata wasn't running this morning. I tried to start it and it failed with the contents of suricata.log below:

30/1/2023 -- 11:34:41 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
30/1/2023 -- 11:34:41 - <Info> - CPUs/cores online: 4
30/1/2023 -- 11:34:41 - <Info> - fast output device (regular) initialized: fast.log
30/1/2023 -- 11:34:41 - <Info> - eve-log output device (regular) initialized: eve.json
30/1/2023 -- 11:34:41 - <Info> - stats output device (regular) initialized: stats.log
30/1/2023 -- 11:34:41 - <Info> - Running in live mode, activating unix socket
30/1/2023 -- 11:34:41 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
30/1/2023 -- 11:34:41 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
30/1/2023 -- 11:34:41 - <Info> - Threshold config parsed: 0 rule(s) found
30/1/2023 -- 11:34:41 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_IPFW_SOCK(81)] - Can't create divert socket: Protocol not supported
30/1/2023 -- 11:34:41 - <Info> - Running in live mode, activating unix socket
30/1/2023 -- 11:34:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
30/1/2023 -- 11:34:41 - <Info> - Created socket directory /var/run/suricata/
30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX-8000" failed to initialize: flags 0145
30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...

This error persists even after totally removing Suricata package and its config, cleared out the stale PIDs in /var/run, and restarted the firewall. Only using 3% of my drive so it's not out of space. I've run out of ideas on this one.

This is on pfSense 2.6.0 CE, Suricata 6.0.4_1.

bmeeks

You do not have the correct Suricata package installed for pfSense. Where did you install Suricata from?

The dead giveaway is this line:

30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_IPFW_SOCK(81)] - Can't create divert socket: Protocol not supported

The use of ipfw is not configured anywhere in the standard Suricata package for pfSense. In fact, that configure option is explicitly disabled in the Makefile for the binary in the pfSense edition of FreeBSD-ports.

You have an invalid Suricata binary installed on the firewall. Don't know how or from where, but I can tell you it is invalid for pfSense because of that ipfw error.

You need to completely strip all things Suricata off that box and start over using solely the Package Manager GUI inside pfSense.

Troutpocket

@bmeeks

That's wild... because I only ever installed it via the WebUI! I have ripped it out again and rebooted the router again and installed it (from the WebUI) again... and now it starts up. False alarm. I guess I have a different problem on my hands.

bmeeks

@troutpocket said in Suricata unable to initialize:

@bmeeks

That's wild... because I only ever installed it via the WebUI! I have ripped it out again and rebooted the router again and installed it (from the WebUI) again... and now it starts up. False alarm. I guess I have a different problem on my hands.

Yeah, that ipfw error is definitely not from a standard package installation. Or else someone manually edited the suricata.yaml file for the interface and uncommented that IPS divert option (or copied over one not from a normal pfSense installation that had that option enabled).