Suricata unable to initialize
-
Found that Suricata wasn't running this morning. I tried to start it and it failed with the contents of suricata.log below:
30/1/2023 -- 11:34:41 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode 30/1/2023 -- 11:34:41 - <Info> - CPUs/cores online: 4 30/1/2023 -- 11:34:41 - <Info> - fast output device (regular) initialized: fast.log 30/1/2023 -- 11:34:41 - <Info> - eve-log output device (regular) initialized: eve.json 30/1/2023 -- 11:34:41 - <Info> - stats output device (regular) initialized: stats.log 30/1/2023 -- 11:34:41 - <Info> - Running in live mode, activating unix socket 30/1/2023 -- 11:34:41 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules 30/1/2023 -- 11:34:41 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! 30/1/2023 -- 11:34:41 - <Info> - Threshold config parsed: 0 rule(s) found 30/1/2023 -- 11:34:41 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only 30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_IPFW_SOCK(81)] - Can't create divert socket: Protocol not supported 30/1/2023 -- 11:34:41 - <Info> - Running in live mode, activating unix socket 30/1/2023 -- 11:34:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 30/1/2023 -- 11:34:41 - <Info> - Created socket directory /var/run/suricata/ 30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX-8000" failed to initialize: flags 0145 30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...
This error persists even after totally removing Suricata package and its config, cleared out the stale PIDs in /var/run, and restarted the firewall. Only using 3% of my drive so it's not out of space. I've run out of ideas on this one.
This is on pfSense 2.6.0 CE, Suricata 6.0.4_1.
-
You do not have the correct Suricata package installed for pfSense. Where did you install Suricata from?
The dead giveaway is this line:
30/1/2023 -- 11:34:41 - <Error> - [ERRCODE: SC_ERR_IPFW_SOCK(81)] - Can't create divert socket: Protocol not supported
The use of
ipfw
is not configured anywhere in the standard Suricata package for pfSense. In fact, that configure option is explicitly disabled in theMakefile
for the binary in the pfSense edition of FreeBSD-ports.You have an invalid Suricata binary installed on the firewall. Don't know how or from where, but I can tell you it is invalid for pfSense because of that
ipfw
error.You need to completely strip all things Suricata off that box and start over using solely the Package Manager GUI inside pfSense.
-
That's wild... because I only ever installed it via the WebUI! I have ripped it out again and rebooted the router again and installed it (from the WebUI) again... and now it starts up. False alarm. I guess I have a different problem on my hands.
-
@troutpocket said in Suricata unable to initialize:
That's wild... because I only ever installed it via the WebUI! I have ripped it out again and rebooted the router again and installed it (from the WebUI) again... and now it starts up. False alarm. I guess I have a different problem on my hands.
Yeah, that
ipfw
error is definitely not from a standard package installation. Or else someone manually edited thesuricata.yaml
file for the interface and uncommented that IPS divert option (or copied over one not from a normal pfSense installation that had that option enabled).