OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Rout3rx on December 15, 2017, 06:30:34 am

Title: suricata failed to run
Post by: Rout3rx on December 15, 2017, 06:30:34 am

hello
i have a problem with suricata, it goes dead after some days and everytime i should remove the pid from /var/run
how can i fix this problem?

Starting suricata.
15/12/2017 -- 08:57:19 - <Info> - Including configuration file installed_rules.yaml.
/usr/local/etc/rc.d/suricata: WARNING: failed to start suricata

part of log file:

Code: [Select]

15/12/2017 -- 08:56:35 - <Notice> - This is Suricata version 4.0.1 RELEASE
15/12/2017 -- 08:56:35 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!
15/12/2017 -- 08:57:19 - <Notice> - This is Suricata version 4.0.1 RELEASE
15/12/2017 -- 08:57:19 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!


Title: Re: suricata failed to run
Post by: franco on December 15, 2017, 06:32:14 am

Hi Rout3rx,

We fixed this in FreeBSD recently. This should no longer happen on OPNsense 17.7.10 with Suricata 4.0.3.


Cheer,
Franco

Title: Re: suricata failed to run
Post by: Rout3rx on December 15, 2017, 06:43:59 am

thanks franco.
i think there is another problem else. snort rules not worked with suricata, i set the oinkcode and enable the rules but not matched even 1 rule.
thanks

Title: Re: suricata failed to run
Post by: franco on December 15, 2017, 07:00:47 am

There are a couple of things:

1. Some snort rules crash Suricata due to incompatibilities. You need to tweak the list.
2. It depends on which interfaces you listen to. Default is LAN, some also use WAN in tandem or exclusively.
3. (2) also depends on how your networks addresses are set up for LAN and WAN, you may need to tweak HOME_NET via the advanced configuration.
4. Test Suricata functionality with the EICAR rule.
5. IPS mode does not work on PPPoE at this point due to a technical limitation.

A few very knowledgable threads exist for these topics. We hope to improve the documentation in 2018 to consolidate and refine this knowledge into an extensive how-to or FAQ.


Cheers,
Franco

Title: Re: suricata failed to run
Post by: nuna on August 12, 2019, 10:47:26 am

hi there please help...
i installed suricata-4.1.4 version and it says stale....and it appears in /var/run/suricata.pid is running and ...Aborting
here is sample...
13/8/2019 -- 02:33:18 - <Notice> - This is Suricata version 4.1.4 RELEASE
13/8/2019 -- 02:33:18 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!