Project

General

Profile

Actions

Support #3819

closed

How to start and stop suricata propely to avoid this error

Added by Corinne Yakpe over 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

uricata@suricata-Latitude-E5540:~$ sudo systemctl status suricata.service
[sudo] Mot de passe de suricata :
● suricata.service - Suricata IDS Daemon
Loaded: loaded (/etc/systemd/system/suricata.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-07-08 12:01:34 CEST; 1h 38min ago
Process: 3717 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i wlp2s0 -S /var/lib/suricata/rules/my.rules -D (code=exited, s>
Process: 3718 ExecStopPost=/bin/kill $MAINPID (code=exited, status=1/FAILURE)

jui 08 12:01:34 suricata-Latitude-E5540 systemd1: suricata.service: Scheduled restart job, restart counter is at 5.
jui 08 12:01:34 suricata-Latitude-E5540 systemd1: Stopped Suricata IDS Daemon.
jui 08 12:01:34 suricata-Latitude-E5540 systemd1: suricata.service: Start request repeated too quickly.
jui 08 12:01:34 suricata-Latitude-E5540 systemd1: suricata.service: Failed with result 'exit-code'.
jui 08 12:01:34 suricata-Latitude-E5540 systemd1: Failed to start Suricata IDS Daemon.
lines 1-11/11 (END)


Files

Capture d’écran de 2020-07-08 19-21-24.png (157 KB) Capture d’écran de 2020-07-08 19-21-24.png Corinne Yakpe, 07/08/2020 05:26 PM
suricata.yaml (68.8 KB) suricata.yaml Jason Ish, 07/08/2020 09:51 PM
Actions #1

Updated by Jason Ish over 3 years ago

As you are using systemd to start Suricata, can you tell us what Linux distribution you are using and how you installed Suricata?

You might get some idea of why its failing but running the command manually:

/usr/bin/suricata -c /etc/suricata/suricata.yaml -i wlp2s0 -S /var/lib/suricata/rules/my.rules

Note that I dropped the -D, you'll probably want to do that in your systemd configuration as well, as you usually don't want to daemonize a process when running under systemd.

Actions #2

Updated by Corinne Yakpe over 3 years ago

Yes I use systemd to start suricata. Linux distribution is Ubuntu 20.04 and I installed suricata with Binary packages.
When I run the command manualy, I get this:

suricata@suricata-Latitude-E5540:~$ /usr/bin/suricata c /etc/suricata/suricata.yaml -i wlp2s0 -S /var/lib/suricata/rules/my.rules
8/7/2020 -
17:13:40 - <Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 1080: found character that cannot start any token

Actions #3

Updated by Jason Ish over 3 years ago

Did you edit the configuration file at all? It looks like there is an error at line 1080 in /etc/suricata/suricata.yaml. The YAML file is sensitive to indentation so that is the first thing to check.

Also, what version of Suricata is this? "suricata -V" should tell you that.

Actions #4

Updated by Corinne Yakpe over 3 years ago

You can find the line 1080 in the add file below. I edit the file but no modification

version of Suricata
- Suricata 5.0.3
Actions #5

Updated by Jason Ish over 3 years ago

Assuming you intalled from the PPA, can you try this copy of the default suricata.yaml provided with it? Just update the "-c" command line option to point to wherever you copy this file.

Actions #6

Updated by Corinne Yakpe over 3 years ago

I update the file, and now when I run suricata I got this:
root@suricata-Latitude-E5540:~# suricata c /etc/suricata/suricata.yaml -i wlp2s0
9/7/2020 -
05:28:33 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
9/7/2020 -- 05:28:52 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'wlp2s0': Operation not supported (95)
9/7/2020 -- 05:28:52 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

1- Can you give me the whole "-c" command line? I use anathor method to do it
2- What I do when I when to stop engine proprely?

Actions #7

Updated by Jason Ish over 3 years ago

Corinne Yakpe wrote in #note-6:

I update the file, and now when I run suricata I got this:
root@suricata-Latitude-E5540:~# suricata c /etc/suricata/suricata.yaml -i wlp2s0
9/7/2020 -
05:28:33 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
9/7/2020 -- 05:28:52 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'wlp2s0': Operation not supported (95)
9/7/2020 -- 05:28:52 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

1- Can you give me the whole "-c" command line? I use anathor method to do it
2- What I do when I when to stop engine proprely?

That looks OK. At least its up and running. I suspect the error is due to the wireless interface, it might not support all the offloads Suricata is trying to disable for you. You might want to add "-k none" as its likely Suricata may miss some packets due to bad checksums.

There is some documentation on offloads here, but it also comes down to your chipset and other variables. But it looks like you are more or less running. Just might want to add -k none.

Actions #8

Updated by Jason Ish over 3 years ago

  • Tracker changed from Bug to Support
  • Priority changed from Urgent to Normal
Actions #9

Updated by Andreas Herz about 2 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF