Suricata problems

Networking & Firewalls
1

I set up my suricata watching one of Toms videos back when i was setting up PFsense. It was working then one day i got the little red gear notifying be it was running. I uninstalled and then reinstalled and that would make it work for about 20 seconds and then it stooped. This is what I get when i look at the logs:

6/8/2020 – 14:56:34 - – This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
6/8/2020 – 14:56:34 - – CPUs/cores online: 8
6/8/2020 – 14:56:34 - – HTTP memcap: 67108864
6/8/2020 – 14:56:34 - – using flow hash instead of active packets
6/8/2020 – 14:56:34 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_em119880.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em119880.pid. Aborting

I went into command prompt and did a RM command one that .pid file and it deletes it and when i go start up suricata i get the same error with a different .pid to delete. I deleted 4 different .pids all with different names and decided this was going to be endless. Anyone know what could be the problem.

I seen another post saying a clean install of PFsense is the only fix. Is this still the case?

2

I have not used Suricata on PFSense, but this is what I would do:

  1. Stop the suricata process if running
  2. Go to the suricata settings and disable it
  3. Reboot the router
  4. From the command prompt, check the contents of /var/run
  5. Delete any .pid files in /var/run that are for suricata
  6. Enable suricata and try to start it
3

Thank you for the replay. I went into var/run and RM the pid file and uninstalled everything and reinstalled and the log has changed but has the same result. here is the log file. I’m not understanding why the date says 6/8/2020

6/8/2020 – 17:28:29 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_em159723.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em159723.pid. Aborting!

4

Screenshot (51)
Screenshot (51)2560×127 8.99 KB

Pfsense has the correct date

5

Back up your config and do a clean install. In my experience, clean install with restoring the backup is easy and fast, generally faster than trying to troubleshoot.

But before you back it up, you may want to uninstall Suricata, reboot, then grab the config. If you restore the config it will ask you to reinstall all the plugins and in this case, I’d want to handle Suricata after it was running again.

I’ve used the config file and fresh install to move to different hardware twice in the last few months, always seemed to work and was quick.

The date in the error message might be day-month-year format, so your date is probably correct.