Suricata Will not start in pfsense

After doing a bit of research I did find that suricata will not start if you have more that 4GB of ram (per the Reddit thread I found). Not sure if this is the case.

Thoughts?

I have 16gb RAM and Suricata starts and runs on multiple interfaces fine.

Should I just remove and reinstall the package? I mean it is a fresh install anyway or is there something else I’m missing?

Check the logs for the error message.

That may be the fasted fix. Otherwise just double check all your settings, restart the service and press the play button next to the interface(s) you have configured.

26/5/2019 – 17:09:44 - – This is Suricata version 4.1.2 RELEASE
26/5/2019 – 17:09:44 - – CPUs/cores online: 8
26/5/2019 – 17:09:44 - – HTTP memcap: 67108864
26/5/2019 – 17:09:44 - – using flow hash instead of active packets
26/5/2019 – 17:09:44 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_igb06103.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb06103.pid. Aborting!

I had that error before. The only thing that fixed it was a complete reinstall of pfsense and then a restore from backup. Be sure to backup your current config.

Suricata is the only thing that effected by this. All other services are working.

As a side note, I had this error when I upgraded from a Protectli device to a Dell R210ii. I installed a new pfsense instance and restored from backup (created on the Protectli). Had this error when the restore finished. Not sure if it was because I restored backup from one device to another and config files were messed up but a restore fixed it. If you are using new hardware, make sure you backup the current config minus the suricata package (just uninstall it before backup) and then do a full restore and redownload the suricata package. That should fix it.

have you tried doing what the error message suggests and removing
/var/run/suricata_igb06103.pid. and restarting Suricata?

I have not but will try.