pevma
commented
4 years ago What are the last log entries in /var/log/suricata/suricata.log ?
Open ngms17 opened 4 years ago
pevma
commented
4 years ago What are the last log entries in /var/log/suricata/suricata.log ?
ngms17
commented
4 years ago root@suricata:~# tail /var/log/suricata/suricata.log
2/11/2020 -- 02:20:45 -
No error.
root@suricata:~# systemctl status suricata ● suricata.service - LSB: Next Generation IDS/IPS Loaded: loaded (/etc/init.d/suricata; generated) Active: active (exited) since Mon 2020-11-02 02:19:44 WET; 8h ago Docs: man:systemd-sysv-generator(8)
Nov 02 02:19:44 suricata systemd[1]: Starting LSB: Next Generation IDS/IPS... Nov 02 02:19:44 suricata suricata[24840]: Starting suricata in IDS (af-packet) mode... done. Nov 02 02:19:44 suricata systemd[1]: Started LSB: Next Generation IDS/IPS.
But status is exited
CindyStudyEveryday
commented
2 years ago I had the same problem. Did you solve it later? If so, could you tell me how?
pevma
commented
2 years ago Is there an error towards the end of the suricata.log ?
-- Regards, Peter Manev
On 30 Jan 2022, at 09:28, CindyStudyEveryday @.***> wrote:
I had the same problem. Did you solve it later? If so, could you tell me how?
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
CindyStudyEveryday
commented
2 years ago Yes,it has.
[2848] 30/ 1/ 2022 -- 03:39:58 - (util-pidfile.c:133)
pevma
commented
2 years ago Can you try the following rm /var/ run/suricata.pid Then restart the suricata service (systemctl restart suricata)
-- Regards, Peter Manev
On 30 Jan 2022, at 09:54, CindyStudyEveryday @.***> wrote:
Yes,it has. [2848] 30/ 1/ 2022 -- 03:39:58 - (util-pidfile.c:133) (SCPidfileTestRunning) - [ERRCODE: SC_ ERR_INITIALIZATION(45)] - pid file ' /var/ run/suricata.pid' exists but appears stale. Make sure Suricatas not running and then remove /var/ run/suricata.pid. Aborting !
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
CindyStudyEveryday
commented
2 years ago It turns into active(running) for only a few seconds,then turn back to active(exited). The error towards the end of the suricata.log is the same. /var/ run/suricata.pid appears again.
pevma
commented
2 years ago What does this command return: ps -aux |grep suricata ?
-- Regards, Peter Manev
On 30 Jan 2022, at 10:16, CindyStudyEveryday @.***> wrote:
It turns into active(running) for only a few seconds,then turn back to active(exited). The error towards the end of the suricata.log is the same. /var/ run/suricata.pid appears again.
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
CindyStudyEveryday
commented
2 years ago Here's the output. root 690 0.3 0.0 50764 92 ? S 05:34 0:02 /usr/bin/python /usr/sbin/suri_reloader -p /etc/suricata/rules -l /var/log/suri-reload.log -D root 1825 0.0 0.0 6208 804 pts/0 S+ 05:44 0:00 grep suricata
pevma
commented
2 years ago so there is no suricata running but the pid deletion did not succeed it seems -did you use sudo ?
can you try :
sudo rm /var/ run/suricata.pid
sudo systemctl restart suricataand share the output please?
CindyStudyEveryday
commented
2 years ago 
pevma
commented
2 years ago The error seems different this time - related to the sniffing interface possibly.
Can you please share the output of tail -20 /var/log/suricata/suricata.log in text and upload here, if ok ?
CindyStudyEveryday
commented
2 years ago okok
[1494] 30/1/2022 -- 08:40:12 - (log-pcap.c:1427)
pevma
commented
2 years ago Have you done any config changes ?
-- Regards, Peter Manev
On 30 Jan 2022, at 14:54, CindyStudyEveryday @.***> wrote:
okok
[1494] 30/1/2022 -- 08:40:12 - (log-pcap.c:1427) (PcapLogInitCtx) -- using multi logging [1494] 30/1/2022 -- 08:40:12 - (util-logopenfile.c:474) (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [1494] 30/1/2022 -- 08:40:12 - (util-conf.c:162) (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:12 - (reputation.c:636) (SRepInit) -- Loading reputation file: /etc/suricata/rules/scirius-iprep.list [1494] 30/1/2022 -- 08:40:19 - (detect-engine-loader.c:355) (SigLoadSignatures) -- 1 rule files processed. 22087 rules successfully loaded, 0 rules failed [1494] 30/1/2022 -- 08:40:19 - (util-threshold-config.c:1096) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [1494] 30/1/2022 -- 08:40:19 - (detect-engine-build.c:1416) (SigAddressPrepareStage1) -- 22090 signatures processed. 7 are IP-only rules, 3944 are inspecting packet payload, 18100 inspect application layer, 0 are decoder event only [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-ioctl.c:324) (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'lo': Operation not supported (95) [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-conf.c:162) (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:51 - (unix-manager.c:132) (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket' [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1888) (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started. [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1783) (AFPComputeRingParamsV3) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Block size is too small, it should be at least 65648 [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1500) (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1807) (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp0s3 failed
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
CindyStudyEveryday
commented
2 years ago To enable th evirtual machine system to connect to the Internet, I added some lines to '/etc/network/interfaces'. The following is what i add and is based on the host address.
auto enp0s3 iface enp0s3 inet dhcp address 192.168.1.8 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255
pevma
commented
2 years ago Thanks, I mean in terms of the suricata.yaml config ?
CindyStudyEveryday
commented
2 years ago There's no change for this file.
pevma
commented
2 years ago ok interesting. It is complaining about that the block size is not as expected
[1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1783) (AFPComputeRingParamsV3) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Block size is too small, it should be at least 65648Can you edit the /etc/suricata/selks6-interfaces-config.yaml file (if this is SELKS ISO install, aka not docker) and adjust the ring-size: value parameter to 80000, then restart the suricata process.
I execute the first time setup and the upgrade commands. Suricata is running but after some minutes it changes it´s state to "active(Exited)" and i can´t figure it out why. Can you please help me?