Project

General

Profile

Suricata ยป

Common Errors

On this page you can find common errors and their solutions. Feel free to add errors and solutions.

Self help diagram.

Check out the Self_Help_Diagrams

Failed to open file: /etc/suricata/suricata.yaml: No such file or directory

$ sudo suricata -c /etc/suricata/suricata.yaml -i wlan0
[490] 14/3/2011 -- 12:24:39 - (suricata.c:452) <Info> (main) -- This is Suricata version 1.1beta1 (rev 1c9e48a) 
[490] 14/3/2011 -- 12:24:39 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2 
$ sudo suricata -c /etc/suricata/suricata.yaml -i wlan0

Check if what you have in the -c option is correct.
Follow the instructions on the Basic Setup page to create and setup /etc/suricata

[ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "osvdb". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"

Edit /etc/suricata/reference.config
Add the line "config reference: osvdb http://osvdb.org/"

[532] 14/3/2011 -- 12:33:55 - (suricata.c:817) <Error> (main) -- [ERRCODE: SC_ERR_LOGDIR_CONFIG(114)] - The logging directory "/var/log/suricata" supplied by /etc/suricata/suricata.yaml (default-log-dir) doesn't exist. Shutting down the engine

Check the default-log-dir setting in the suricata.yaml file. For more information see suricata.yaml
Check if the set directory in the default-log-dir option in suricata.yaml does exist.
If not: create the directory as described in Basic Setup.

[560] 14/3/2011 -- 12:37:59 - (util-classification-config.c:96) <Error> (SCClassConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/classification.config": No such file or directory

Please check the "classification-file" option in your suricata.yaml file.

Check the classification-file option in the suricata.yaml-file as described in
suricata.yaml.
If the file is missing, please follow the installation instructions Basic Setup.

[589] 14/3/2011 -- 12:42:34 - (util-reference-config.c:97) <Error> (SCRConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": No such file or directory

Please check the "reference-file" option in your suricata.yaml file.

Check the reference-file setting in the suricata.yaml file.
If the file is missing, please follow the installation instructions in Basic Setup.

[608] 14/3/2011 -- 12:45:58 - (runmodes.c:104) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring

This is just a warning and does not concern a severe problem. By default there is no
prelude support during compiling Suricata.
If you do want prelude support, enter configure --enable-prelude during configuration.

[638] 14/3/2011 -- 12:51:20 - (source-pcap.c:339) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error SIOCGIFHWADDR: No such device 
[638] 14/3/2011 -- 12:51:20 - (source-pcap.c:339) <Error> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error SIOCGIFHWADDR: No such device 
[635] 14/3/2011 -- 12:51:20 - (tm-threads.c:1475) <Error> (TmThreadWaitOnThreadInit) -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "ReceivePcap" closed on initialization. 
[635] 14/3/2011 -- 12:51:20 - (suricata.c:1249) <Error> (main) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

A wrong network interface has been set on the command line with the -i option. Use ifconfig to find
the correct network interface.

[608] 14/3/2011 -- 12:45:58 - (detect.c:452) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - ERROR opening rule file /etc/suricata/rules/attack-responses.rules: No such file or directory.

Check if the file as mentioned in the error message exists and Suricata has the permission to read it.

Check if there is no error in the filename in yaml. For more information about rule-files, see
Suricata.yaml.

If you do not want to use this specific rule-file, remove it from your suricata.yaml.
For more information about rule-files, see Suricata.yaml

[608] 14/3/2011 -- 12:45:58 - (detect.c:617) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 70 rule files specified, but no rule was loaded at all!

Check if all rule-configuration in you suricata.yaml is correct. For more information about rule-files,

see Suricata.yaml

[635] 14/3/2011 -- 12:51:20 - (util-threshold-config.c:104) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory.

Check if the file threshold.config exists in your /etc/suricata directory.
Check if the settings for threshold.config in suricata.yaml are correct. For more information,
see Suricata.yaml.

[5522] 12/6/2013 -- 16:04:15 - (source-af-packet.c:645) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 5: Message too long

In AF_PACKET IPS mode, the MTU of the peered interface needs to be equal. You can see this message if is not the case. Another possible explanation is that GRO is activated on your interface (see #823).
In that case, you can run (if eth1 is your sniffing interface):

ethtool -K eth1 gro off