Suricata will not start

Networking Networking Software
1

I watched your video ([http://)https://www.youtube.com/watch?v=9QaM3b0Kd6M&t=215s]) and decided to kick Snort for Suricata. However i cannot get it to start. When I try to start Suricata on either WAN or LAN it will not start. Updating the rule set worked fine, but the icon remains yellow indicating that Suricatra is stopped after I select the start button. When I restart my box i get the following errors in the System Logs.

  • Nov 15 19:32:12 kernel pid 19379 (suricata), uid 0: exited on signal 11 (core dumped)
  • Nov 15 19:31:54 php-fpm 62973 /suricata/suricata_interfaces.php: [Suricata] Suricata START for WAN(igb0)…
  • Nov 15 19:31:54 php-fpm 62973 /suricata/suricata_interfaces.php: Toggle (suricata starting) for WAN(WAN)…
  • Nov 15 19:31:54 php-fpm 62973 /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for WAN…
  • Nov 15 19:31:53 php-fpm 62973 /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: WAN…
  • Nov 15 19:31:53 php-fpm 62973 /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: WAN …

I would happily investigate any leads you guys can help me with.
Setting can be found here: https://imgur.com/a/jSjVz

2

I had a similar issue and had to bump the allocated memory way waaaaay high. Was able to get it started on two interfaces after that.

3

Thanks for the response. I have 16GB of memory (overkill i know). I could not find online sources that suggest how much memory to allocate. I will try it out!

4

Dang! I ramped up the memory allocation in the “Max Pending Packets” setting by increments of 10,000 and had no luck starting after reboot. Any other suggestions?

5

No - I had to increase the memory associated with Flow bits/stream handling. As I recall, had to bump it up as high as 500MB for each.

6

The tab you need to look at is WAN Flow/Stream (same for each interface). The options you need to bump up are at the bottom, and there were two-settings. If you send me a screenshot that would help.

7

I just booted my test box - since I’m running 16GB RAM I was able to assign 2GB to for each interface that Suricata monitors… otherwise I just couldn’t get it to start.

  • Fragmentation Mem Cap
  • Flow Mem Cap
  • Stream Mem Cap

16

28

8

i bet if u turn off dhcp server, sucrita will run with out upping the memory
i got 2 gig ram on my pfsense box i just switched to snort personally to fix the isue

9

I’m running suricata on 4 interfaces on a 4Gb system just fine. No special tweaks really needed.

So I’m taking a passing interest in what’s going on / what you guys can figure out here.

10

i had the same issue as those guys about 3 month ago i was running 3 interfaces on 2 gig, (2 lan port with 3 vlan) and sucrita was working fine for months like that but i woke up 1 day it wasn’t the case anymore the only way i could keep sucrita running for long period of time with out playing with memory was to disable dhcp server and assign ip’s but that was too troublesome
switching to snort instead of sucrita prevented having to deal with the issue in the first place