I can't start Suricata 7.0.0.2 on Pfsense + 23.09
-
Good morning, everyone.
Everything was working perfect until today I upgraded to version 23.09 and suricata 7.0.0.2 and now I can't start the Suricata interface.
I have increased the "Stream Memory Cap" up to x 16. It doesn't work.
What can I do?
Thank you.![alt text] -
I add some information.
I have a PPPOE wan with vlan 6 prior 1 in both, and LEGACY MODE. All was working perfect until update.. but i have 3 pfsenses + TAC LITE, in one of them suricate update has broken the interface but in pfsense + 23.05. I mean: Suricata 7.0.0.2 + Pfsense 23.05 = Broke.
Another with pfsense + 23.09 + Suricata 7.0.0.2 = Broke.
All are Proxmox MVs. -
Here is the pfsense + 23.05 with both interfaces stoped.
-
@wisepds said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
All are Proxmox MVs.
Didn't have any issues with my VM except when I first upgraded to 23.09RC, I had to manually install Suricata. No issue upgrading to 23.09-release however, I am still training Suricata which isn't blocking yet.
-
@NollipfSense Good for you but for me in 2 different pfsense + suricata crash. 23.05 and 23.09
-
@wisepds said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
@NollipfSense Good for you but for me in 2 different pfsense + suricata crash. 23.05 and 23.09
See is you can follow Bill's instruction here scroll to his last post: https://forum.netgate.com/topic/183878/after-upgrade-to-pf-23-09-surricata-says-it-s-starting-but/15
-
First suricata (23.05) fixed and working.
I have installed with erase configuration (Global settings--- uncheck "Settings will not be removed during package desinstallation"
All reinstalled from 0 and working. First start only with default.. after that, step by step adding my rules.
Let's go with 23.09.
-
2023-11-06 19:19:58.738971-05:00 kernel - pid 1309 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)I’m seeing the same issue, except Suricata core dumps on start.
Starting in IDS mode works, but in legacy IPS mode core dumps. If I start the interface in IDS mode and then change the setting to legacy mode, it keeps running. Must be a bug of some kind.
-
@xpxp2002 said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
If I start the interface in IDS mode and then change the setting to legacy mode, it keeps running.
Unless you stop and restart the daemon after changing the mode, it is not actually changing the running mode. That's because the
suricata.yamlfile is only read once during startup. Making a change to the blocking mode without restarting the interface simply saves the change in thesuricata.yamlfile, but that change is not processed by the running binary until you stop and restart it. -
@xpxp2002 @bmeeks Reviving this thread a bit, seeing the exact same thing.
pfSense 23.09, Suricata package 7.0.0_2, on metal (Protectli vault).
Nov 13 14:16:25 router SuricataStartup[9700]: Suricata START for HOME(60023_em1)... Nov 13 14:16:25 router kernel: pid 16911 (suricata), jid 0, uid 0: exited on signal 11 (core dumped) Nov 13 14:16:26 router SuricataStartup[29857]: Suricata START for HOME_GUEST(21621_em2)... Nov 13 14:16:26 router kernel: pid 30304 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)[103038 - Suricata-Main] 2023-11-13 14:16:25 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode [103038 - Suricata-Main] 2023-11-13 14:16:25 Info: cpu: CPUs/cores online: 4 [103038 - Suricata-Main] 2023-11-13 14:16:25 Info: suricata: Setting engine mode to IDS mode by default [103038 - Suricata-Main] 2023-11-13 14:16:25 Info: app-layer-htp-mem: HTTP memcap: 67108864 [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: alert-pf: Creating automatic firewall interface IP address Pass List. <redacted IP list addresses> [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: logopenfile: alert-pf output device (regular) initialized: block.log [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_60023_em1/passlist. [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_60023_em1/passlist processed: Total entries parsed: 24, IP addresses/netblocks/aliases added to No Block list: 21, IP addresses/netblocks ignored because they were covered by existing entries: 3. [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: alert-pf: Created Firewall Interface IP Change monitor thread for auto-whitelisting of firewall interface IP addresses. [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=yes passlist-debugging=no [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: logopenfile: fast output device (regular) initialized: alerts.log [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: logopenfile: http-log output device (regular) initialized: http.log [167381 - ] 2023-11-13 14:16:25 Info: alert-pf: Firewall Interface IP Address Change monitoring thread IM#01 has successfully started. [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: logopenfile: tls-log output device (regular) initialized: tls.log [100268 - Suricata-Main] 2023-11-13 14:16:25 Info: log-tlsstore: storing certs in /var/log/suricata/suricata_em160023/certs [100268 - Suricata-Main] 2023-11-13 14:16:25 Warning: counters: stats are enabled but no loggers are active -
Fixed. Flipped interface modes to inline, and back to legacy, then things started normally.
-
@asdjklfjkdslfdsaklj said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
Fixed. Flipped interface modes to inline, and back to legacy, then things started normally.
Yeah, not really sure what's going on there. A few users have reported a similar issue, and it was resolved by either removing and reinstalling the package or sometimes doing what you did.
I do not have a test pfSense Plus system, so I can't check out what's happening in detail.
Also, there is now (or it will show up soon) a new Suricata package out. The new version is 7.0.2, and it is based on the latest binary from Suricata upstream.
-
Hi guys,
I do have the same issue with Suricata service doesn't starting after upgrade its version from 6.x to 7.x on 23.05.1 and even upgrading to pfsense 23.09 the problem still.
I did Suricata package reinstallation, also uninstalled it and install from scratch but I had no progress on it. I can't use INLINE mode because my interface "opt1" didn't support NETMAP.
So, if somebody knows how to fix that kernel core dump behaviour as described about by other colleagues here, please give us a heads up.
My system is a bare-metal and powerfull hardware as below and it happened just after we upgraded the Suricata version using pfSense's package manager:
Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
44 CPUs : 2 package(s) x 22 core(s)
256GB of RAM memory
RAID10 storage using enterprise SSD drivesI do have 2 pfSense nodes and I hopefully did it on the second node (slave) first to test. IDS/IPS is the core of my operation and I can't go ahead without it working as before.
-
@fernoliv said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
do have the same issue with Suricata service doesn't starting after upgrade its version from 6.x to 7.x on 23.05.1 and even upgrading to pfsense 23.09 the problem still.
Go read the very long thread here: https://forum.netgate.com/topic/184112/important-snort-and-suricata-package-announcement-probable-bug-in-legacy-blocking-module.
This should be fixed in the near future.
-
Thanks @bmeeks but in my case, even with the "kill states" option unticked/unchecked Suricata still not starting and still running.
The kernel process is return on the System Logs the message below:
(suricata), jid 0, uid 0: exited on signal 6 (core dumped)
I'm going to wait for the fix be turned available via pfSense repositores (patches or a new 23.09.1 release) to overcome that issue.
-
@fernoliv said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:
Thanks @bmeeks but in my case, even with the "kill states" option unticked/unchecked Suricata still not starting and still running.
The kernel process is return on the System Logs the message below:
(suricata), jid 0, uid 0: exited on signal 6 (core dumped)
I'm going to wait for the fix be turned available via pfSense repositores (patches or a new 23.09.1 release) to overcome that issue.
Signal 6 is an entirely different error. That means Suricata is missing some critical dependency or something vital is not initializing.
What kind of hardware do you have? Is it Intel AMD64 or ARM based?
Remove the packge, reboot the firewall, then try installing the package again.
