Suricata

Where/how did you install it (asking since it is not from our PPA)?
Any err message?

I compiled from source code and installed on Ubuntu Server 16.04. The --enable-rust is enabled with cargo installed.

The suricata.service systemd script is :

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

I configure the Suricata as the following :

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-rust --enable-nfqueue --enable-pie --enable-gccprotect --enable-gccprofile \
--enable-hiredis --enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libhiredis-libraries=/usr/lib/x86_64-linux-gnu --with-libhiredis-includes=/usr/include/hiredis \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.1/ \
--with-libluajit-libraries=/usr/local/lib/ \
CFLAGS="-ggdb -O0 -ftrapv -fPIE -Wl,-z,relro,-z,now -g -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
SECCFLAGS="-ftrapv -fPIE -Wl,-z,relro,-z,now -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wformat -Wformat-security" \
--with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/

I need to stop the suricata. Then, delete /var/run/suricata.pid before restarting the Suricata. Otherwise, the Suricata could not be started.

I rerun the restart script and I got the following result.

sudo systemctl restart suricata
[sudo] password for samiux:
Job for suricata.service failed because the control process exited with error code. See "systemctl status suricata.service" and "journalctl -xe" for details.

● suricata.service - Suricata IDPS Daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Thu 2017-06-08 17:06:43 HKT; 15s ago
Process: 7010 ExecStopPost=/bin/kill $MAINPID (code=exited, status=1/FAILURE)
Process: 7031 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D (code=exited, status=1/FAILURE)
Main PID: 17736 (code=dumped, signal=ABRT)

Jun 08 17:06:43 croissants systemd¹: Failed to start Suricata IDPS Daemon.
Jun 08 17:06:43 croissants systemd¹: suricata.service: Unit entered failed state.
Jun 08 17:06:43 croissants systemd¹: suricata.service: Failed with result 'exit-code'.
Jun 08 17:06:43 croissants systemd¹: suricata.service: Service hold-off time over, scheduling restart.
Jun 08 17:06:43 croissants systemd¹: Stopped Suricata IDPS Daemon.
Jun 08 17:06:43 croissants systemd¹: suricata.service: Start request repeated too quickly.
Jun 08 17:06:43 croissants systemd¹: Failed to start Suricata IDPS Daemon.

ls la /var/run/suricata.pid
-rw-r---- 1 root root 6 Jun 8 12:05 /var/run/suricata.pid

When I changed the "ExecStopPost" value, the Suricata restarted properly.

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
Restart=on-failure

[Install]
WantedBy=multi-user.target

The better version of suricata.service should be :

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
ExecStopPost=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
Restart=on-failure

[Install]
WantedBy=multi-user.target

I think this thread can be closed as "PIDFile" for systemd script solved the problem.

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

Can we check in a service file template that gets filled in with the proper paths (e.g. suricata.service.in)? I don't think we should install it, but it might make it easier for users to start using it.

Victor Julien wrote:

Can we check in a service file template that gets filled in with the proper paths (e.g. suricata.service.in)? I don't think we should install it, but it might make it easier for users to start using it.

Yes, that would be a good idea.

https://redmine.openinfosecfoundation.org/issues/2138

I can do this.