Suricata fails to start on WAN or LAN.
I have removed and reinstalled Suricata with vanilla settings, and upon create an interface with the default rules it still fails.
/var/log/suricata/suricata_em133699/suricata.log
16/4/2018 – 21:07:40 - – This is Suricata version 4.0.4 RELEASE
16/4/2018 – 21:07:40 - – CPUs/cores online: 8
16/4/2018 – 21:07:40 - – HTTP memcap: 67108864
16/4/2018 – 21:07:40 - – using flow hash instead of active packets
16/4/2018 – 21:07:40 - – 1 rule files processed. 235 rules successfully loaded, 0 rules failed
16/4/2018 – 21:07:40 - – Threshold config parsed: 0 rule(s) found
16/4/2018 – 21:07:40 - – 235 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 72 inspect application layer, 103 are decoder event only
16/4/2018 – 21:07:40 - – fast output device (regular) initialized: alerts.log
16/4/2018 – 21:07:40 - – http-log output device (regular) initialized: http.log
16/4/2018 – 21:07:40 - – Using 1 live device(s).
16/4/2018 – 21:07:40 - – using interface em1
16/4/2018 – 21:07:40 - – Running in ‘auto’ checksum mode. Detection of interface state will require 1000 packets.
16/4/2018 – 21:07:40 - – Set snaplen to 1518 for ‘em1’
16/4/2018 – 21:07:40 - – [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
16/4/2018 – 21:07:40 - – [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
16/4/2018 – 21:07:40 - – [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
16/4/2018 – 21:07:40 - – RunModeIdsPcapAutoFp initialised
16/4/2018 – 21:07:40 - – [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread “W#08” failed to initialize: flags 0145
16/4/2018 – 21:07:40 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…
I have done further research and found that I might have to mess with the steam settings memory cap, but I have increased it to as high as a GiB and it still fails.
After it fails with a fresh creation of an interface with default settings, I double the stream settings from 64 MiB -> 128 MiB, and here is what the log file had appended to it.
New stuff
16/4/2018 – 21:08:00 - – This is Suricata version 4.0.4 RELEASE
16/4/2018 – 21:08:00 - – CPUs/cores online: 8
16/4/2018 – 21:08:00 - – HTTP memcap: 67108864
16/4/2018 – 21:08:00 - – using flow hash instead of active packets
16/4/2018 – 21:08:00 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_em133699.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em133699.pid. Aborting!
16/4/2018 – 21:08:07 - – This is Suricata version 4.0.4 RELEASE
16/4/2018 – 21:08:07 - – CPUs/cores online: 8
16/4/2018 – 21:08:07 - – HTTP memcap: 67108864
16/4/2018 – 21:08:07 - – using flow hash instead of active packets
16/4/2018 – 21:08:07 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_em133699.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em133699.pid. Aborting!
16/4/2018 – 21:13:48 - – This is Suricata version 4.0.4 RELEASE
16/4/2018 – 21:13:48 - – CPUs/cores online: 8
16/4/2018 – 21:13:48 - – HTTP memcap: 67108864
16/4/2018 – 21:13:48 - – using flow hash instead of active packets
16/4/2018 – 21:13:48 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_em133699.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_em133699.pid. Aborting!