OPNsense 17.7.1_2-amd64, Suricata broken

[Free_Norway]

Hi all

First I want to thank the OPNsense Team for the excellent work they are doing, this is an amazing product.

I have a problem with suricata.
After some small changes in the configuration(don't really remember what I changed), suricata doesn't want to start.
I have tried disabling it and reboot, changing the settings back and forth, reinstall suricata....
but nothing helps.
When I try to start it from the GUI, the following lines appear in the log:
Sep 9 11:08:08 configd.py: [f7917fa0-b5e3-4953-8317-1094d29ece73] returned exit status 1
Sep 9 11:08:08 root: /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Sep 9 11:08:08 configd.py: [f7917fa0-b5e3-4953-8317-1094d29ece73] start suricata daemon

Since I'm no expert, I really don't know what it means.

Help please!

[fabian]

This tells nothing useful. Can you try to run surricata from command line? Maybe it shows an error message.

[Free_Norway]

Hi Fabian

Thanks for the reply.

I'am not shure this is the right command, but it produced the same output

#service suricata restart
suricata not running? (check /var/run/suricata.pid).
Starting suricata.
9/9/2017 -- 12:13:31 - <Info> - Including configuration file installed_rules.yaml.
/usr/local/etc/rc.d/suricata: WARNING: failed to start suricata

Are there other commands I can try?

Regards
Seb

[franco]

In the IDS GUI the button "download & update rules" should fix this.

It's trying to load rules that are not installed.


Cheers,
Franco

[Free_Norway]

Tried, but its still the same.

Is it possible to reset/delete things in the suricata folder to trigger the creation of new files?

[franco]

Does this also happen when you uncheck all rulesets and apply?

[Free_Norway]

Still the same result.

All i have tried doesnt help.

[Free_Norway]

Since it's an VM, i did an new install to fix the problem.
I did encounter the same problem once more after an unclean shutdown.

Maybe that was the problem

[jromang]

I have exaclty the same problem, what shoud I do to solve it without reinstalling ?

[jromang]

Sep 13 20:04:58   configd.py: [bb017f81-26c1-45ae-8da5-5808c6bbb58b] returned exit status 1
Sep 13 20:04:58   root: /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Sep 13 20:04:58   configd.py: [bb017f81-26c1-45ae-8da5-5808c6bbb58b] start suricata daemon
Sep 13 20:04:57   configd.py: [445854f1-64f9-4d4a-8b6d-cdec3b8d848f] request pfctl byte/packet counters
Sep 13 20:04:43   configd.py: [cf60e5e4-afcf-4ba0-b5dd-88b8d0f1b298] request installable rules
Sep 13 20:04:43   configd.py: [cabead5f-9c8e-494f-ad01-b6b0e14e56bd] request installable rules
Sep 13 20:04:41   configd.py: [374cd2e9-4508-4e01-87fb-5315de5f0683] get suricata daemon status

[Stephan]

I had the problem after an unclean shutdown - the pid file didn't get deleted / or still was there and suricata refused to start .
After deleting the file  /var/run/suricata.pid it worked again

[jromang]

Thanks, after removing the file it works again 

[Stephan]

glad to here it worked 

[franco]

Incidentally, 17.7.2 now clears all of /var/run on boot so this should never happen again. Sorry for the hiccup!


Cheers,
Franco