Suricata fails to start



  • I have installed suricata on my pfsense system. pfsense system is version 2.2.3-RELEASE-pfSense (amd64) and suricata version is 2.0.8.

    When I try to enable a suricata interface on my pfsense system, it tries to execute sricata, but fails to do so. I have tried to start it manually with this command, which seems to be what is executed by the PHP server:

    /usr/local/bin/suricata -i re1 -D -c /usr/pbi/suricata-amd64/local/etc/suricata/suricata_19353_re1/suricata.yaml –pidfile /var/run/suricata_re119353.pid

    However, I get an error, telling me that it doesn't know the key on line 377 of my YAML configuration. For some reason, the system generates a file and the libhtp section  looks like this:

    libhtp:
      default-config:
                personality: IDS
        request-body-limit: 4096
        response-body-limit: 4096
        double-decode-path: no
        double-decode-query: no
        uri-include-all: no

    The personality line is indented too much. If I manually bring the indentation of the personality line the same as other keys in this section, I can start suricata on the command line. However, if I reboot my system, the configuration file (/usr/pbi/suricata-amd64/local/etc/suricata/suricata_19353_re1/suricata.yaml) reverts to previous format (with bad indentation) and suricata service won't be able to start.

    Is there a way to fix this permanently? Should I report a bug?

    Martin



  • That would be a bug.  Give me a bit to identify the precise spot in the code.  Hopefully it will be in a spot that is easily fixed by users as a workaround until I can get an update approved and pushed.

    You can start/stop Suricata from the command line using the auto-generated shell script here:  /usr/local/etc/rc.d/suricata.sh

    /usr/local/etc/rc.d/suricata.sh start to start it, and /usr/local/etc/rc.d/suricata.sh stop to stop it.

    Unfortunately, when you start/stop Suricata from the GUI it will auto-recreate the suricata.yaml file and overwrite your manual edit.

    Bill



  • You need to run this on the CLI to create 'snort2c' in 'Tables'.

    pfctl -t snort2c -T add 1.1.1.1

    Note that you have to re-run every time you reboot pfsense.



  • @gdsnytech:

    You need to run this on the CLI to create 'snort2c' in 'Tables'.

    pfctl -t snort2c -T add 1.1.1.1

    Note that you have to re-run every time you reboot pfsense.

    This should never be necessary.  pfSense itself is supposed to automatically create that table upon boot.  If your system does not, then something is wrong with your installation.  Try the trick from this thread and see if it will fix your problem – https://forum.pfsense.org/index.php?topic=82268.msg450204#msg450204

    Bill



  • Sorry for the delay for the followup, I was on vacation this past week and just realized that this thread was still unresolved. In response to Bill's first reply, I have tried to run:

    /usr/local/etc/rc.d/suricata.sh start

    but nothing is happening.

    However, I can be more precise in my error reporting. If I run the following command:

    /usr/pbi/suricata-amd64/bin/suricata -i re1 -D -c /usr/pbi/suricata-amd64/etc/suricata/suricata_19353_re1/suricata.yaml –pidfile /var/run/suricata_re119353.pid

    I get the following error on the console:

    6/8/2015 -- 20:34:31 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - Failed to parse configuration file at line 377: did not find expected key

    Here is the content of my YAML file around line 377 (I have prefixed each line with the line number followed by a colon and a space):

    373: ############################################################## #############
    374: # Configure libhtp.
    375: libhtp:
    376:    default-config:
    377:          personality: IDS
    378:      request-body-limit: 4096
    379:      response-body-limit: 4096
    380:      double-decode-path: no
    381:      double-decode-query: no
    382:      uri-include-all: no

    My system rebooted July 31st, but suricata failed to restart on reboot.

    Martin</error>



  • @martind1111:

    Sorry for the delay for the followup, I was on vacation this past week and just realized that this thread was still unresolved. In response to Bill's first reply, I have tried to run:

    /usr/local/etc/rc.d/suricata.sh start

    but nothing is happening.

    However, I can be more precise in my error reporting. If I run the following command:

    /usr/pbi/suricata-amd64/bin/suricata -i re1 -D -c /usr/pbi/suricata-amd64/etc/suricata/suricata_19353_re1/suricata.yaml –pidfile /var/run/suricata_re119353.pid

    I get the following error on the console:

    6/8/2015 -- 20:34:31 - <error>- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - Failed to parse configuration file at line 377: did not find expected key

    Here is the content of my YAML file around line 377 (I have prefixed each line with the line number followed by a colon and a space):

    373: ############################################################## #############
    374: # Configure libhtp.
    375: libhtp:
    376:    default-config:
    377:          personality: IDS
    378:      request-body-limit: 4096
    379:      response-body-limit: 4096
    380:      double-decode-path: no
    381:      double-decode-query: no
    382:      uri-include-all: no

    My system rebooted July 31st, but suricata failed to restart on reboot.

    Martin</error>

    This is a bug in the file /usr/local/pkg/suricata/suricata_yaml_template.inc.  I'll fix it in the next Suricata update.

    Try this edit to the file.  Open it using Diagnostics > Edit File from the pfSense menu.  Scroll down to the bottom of the file and locate this section of code:

    
    ###########################################################################
    # Configure libhtp.
    libhtp:
       default-config:
         {$http_hosts_default_policy}
    
       {$http_hosts_policy}
    
    

    Remove the leading spaces from the line containing "{$http_hosts_default_policy}" and save the change.  It should look like this after editing:

    
    ###########################################################################
    # Configure libhtp.
    libhtp:
       default-config:
    {$http_hosts_default_policy}
    
       {$http_hosts_policy}
    
    

    Try starting Suricata from the GUI using the icons on the SURICATA INTERFACES tab.

    Bill



  • I am having this issue now on a new install on a different box. Running the command to add snort2c doesn't help either.



  • Bill,

    The last fix that you posted on this thread works for me. I have restarted suricata through the interface menu and the system recreates the file with the proper formatting now. Thanks a lot.

    Martin



  • @martind1111:

    Bill,

    The last fix that you posted on this thread works for me. I have restarted suricata through the interface menu and the system recreates the file with the proper formatting now. Thanks a lot.

    Martin

    Thanks for the feedback.  I will fix this in the next Suricata update.

    Bill



  • Had the same issue and tried to edit the file. the fix did not work however just a simple package reinstall did the trick. Great Work on the package!!!



  • Has there been a regression? Package version 3.2.1_3.

    I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS.



  • @cjking:

    Has there been a regression? Package version 3.2.1_3.

    I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS.

    I don't see a regression in the current release.  I also tested in this in the upcoming 4.0.0 package update and it appears OK there as well.

    Bill



  • I fixed it by doing both of these suggested fixes :

    1. "Remove the leading spaces from the line containing "{$http_hosts_default_policy}" and save the change. "
    2. "I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS."

    After that I reinstalled the package and it works.

    Great job!


Log in to reply