[SOLVED] Intrusion Detection (suricata) keeps exiting

[franco]

Odd. What's the output of:

# uname -a


Cheers,
Franco

[pbolduc]

It Reads:

FreeBSD OPNSense.localdomain 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #0 ca29eed2d(Stable/17.1): Mon Feb 20 15:24:20 CET 2017 root@sensey32:/usr/obj/usr/src/sys/SMP i386

[franco]

Ok, so far so good.

Can you post output of the following command before an after reinstalling the kernel?

# ls -lah /dev/netmap

The kernel reinstalls with:

# opnsense-update -fk
# /usr/local/etc/rc.reboot

And then try again. So far it looks like Suricata can't start because you set IPS mode but the kernel module for IPS is gone which is rather odd.

Also, what network cards / drivers are you using?


Cheers,
Franco

[pbolduc]

I am unable to proceed as the device is in use at the moment. I will try and perform these steps at the end of day. Thank you for your time. The network drivers would be the Intel E1000.

When I run before the reboot:  "ls -lah /dev/netmap" it returns  "ls: /dev/netmap: No such file or directory"

I was able to get Suricata to start by disabling IPS.

[franco]

Ok, netmap was missing from i386 since 17.1, which affected IPS mode only. FreeBSD added netmap to their 11.0 config, but only for amd64, not i386. Sorry about this.

The kernel is fixed and syncing to the mirrors. Just reapply 17.1.2:

# opnsense-update -fk
# /usr/local/etc/rc.reboot

And it should be all good when the /dev/netmap device is back.


Cheers,
Franco

[pbolduc]

Yep, that fixed it after reapplying 17.1.2. Thanks very much!

[franco]

Ok, change will become permanent in 17.1.3.


Cheers,
Franco