Suricata keeps changing it´s status to "active(exited)" after some time

[ngms17]

I execute the first time setup and the upgrade commands. Suricata is running but after some minutes it changes it´s state to "active(Exited)" and i can´t figure it out why. Can you please help me?

[pevma]

What are the last log entries in /var/log/suricata/suricata.log ?

[ngms17]

root@suricata:~# tail /var/log/suricata/suricata.log 2/11/2020 -- 02:20:45 - <Info> - Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. 2/11/2020 -- 02:20:45 - <Notice> - Ring buffer initialized with 19 files. 2/11/2020 -- 02:20:45 - <Info> - Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. 2/11/2020 -- 02:20:45 - <Notice> - Ring buffer initialized with 19 files. 2/11/2020 -- 02:20:45 - <Info> - Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. 2/11/2020 -- 02:20:45 - <Notice> - Ring buffer initialized with 19 files. 2/11/2020 -- 02:20:45 - <Info> - Running in live mode, activating unix socket 2/11/2020 -- 02:20:45 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 2/11/2020 -- 02:20:45 - <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started. 2/11/2020 -- 02:20:46 - <Info> - All AFP capture threads are running.

No error.

root@suricata:~# systemctl status suricata ● suricata.service - LSB: Next Generation IDS/IPS Loaded: loaded (/etc/init.d/suricata; generated) Active: active (exited) since Mon 2020-11-02 02:19:44 WET; 8h ago Docs: man:systemd-sysv-generator(8)

Nov 02 02:19:44 suricata systemd[1]: Starting LSB: Next Generation IDS/IPS... Nov 02 02:19:44 suricata suricata[24840]: Starting suricata in IDS (af-packet) mode... done. Nov 02 02:19:44 suricata systemd[1]: Started LSB: Next Generation IDS/IPS.

But status is exited

[CindyStudyEveryday]

I had the same problem. Did you solve it later? If so, could you tell me how？

[pevma]

Is there an error towards the end of the suricata.log ?

-- Regards, Peter Manev

On 30 Jan 2022, at 09:28, CindyStudyEveryday @.***> wrote:

 I had the same problem. Did you solve it later? If so, could you tell me how？

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[CindyStudyEveryday]

Yes，it has. [2848] 30/ 1/ 2022 -- 03:39:58 - (util-pidfile.c:133) <Error> (SCPidfileTestRunning) - [ERRCODE: SC_ ERR_INITIALIZATION(45)] - pid file ' /var/ run/suricata.pid' exists but appears stale. Make sure Suricatas not running and then remove /var/ run/suricata.pid. Aborting !

[pevma]

Can you try the following rm /var/ run/suricata.pid Then restart the suricata service (systemctl restart suricata)

-- Regards, Peter Manev

On 30 Jan 2022, at 09:54, CindyStudyEveryday @.***> wrote:

 Yes，it has. [2848] 30/ 1/ 2022 -- 03:39:58 - (util-pidfile.c:133) (SCPidfileTestRunning) - [ERRCODE: SC_ ERR_INITIALIZATION(45)] - pid file ' /var/ run/suricata.pid' exists but appears stale. Make sure Suricatas not running and then remove /var/ run/suricata.pid. Aborting !

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[CindyStudyEveryday]

It turns into active(running) for only a few seconds,then turn back to active(exited). The error towards the end of the suricata.log is the same. /var/ run/suricata.pid appears again.

[pevma]

What does this command return: ps -aux |grep suricata ?

-- Regards, Peter Manev

On 30 Jan 2022, at 10:16, CindyStudyEveryday @.***> wrote:

 It turns into active(running) for only a few seconds,then turn back to active(exited). The error towards the end of the suricata.log is the same. /var/ run/suricata.pid appears again.

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[CindyStudyEveryday]

Here's the output. root 690 0.3 0.0 50764 92 ? S 05:34 0:02 /usr/bin/python /usr/sbin/suri_reloader -p /etc/suricata/rules -l /var/log/suri-reload.log -D root 1825 0.0 0.0 6208 804 pts/0 S+ 05:44 0:00 grep suricata

[pevma]

so there is no suricata running but the pid deletion did not succeed it seems -did you use sudo ? can you try :

sudo rm  /var/ run/suricata.pid
sudo systemctl restart suricata

and share the output please?

[CindyStudyEveryday]

• All of the previous output is the result of switching to the root user.
• I tried using selks-user,use sudo and try again,suricata also turned into active(running) for only a few seconds,then turned back to active(exited).
• tail -20 /var/log/suricata/suricata.log

[pevma]

The error seems different this time - related to the sniffing interface possibly. Can you please share the output of tail -20 /var/log/suricata/suricata.log in text and upload here, if ok ?

[CindyStudyEveryday]

okok

[1494] 30/1/2022 -- 08:40:12 - (log-pcap.c:1427) <Info> (PcapLogInitCtx) -- using multi logging [1494] 30/1/2022 -- 08:40:12 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [1494] 30/1/2022 -- 08:40:12 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:12 - (reputation.c:636) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/scirius-iprep.list [1494] 30/1/2022 -- 08:40:19 - (detect-engine-loader.c:355) <Info> (SigLoadSignatures) -- 1 rule files processed. 22087 rules successfully loaded, 0 rules failed [1494] 30/1/2022 -- 08:40:19 - (util-threshold-config.c:1096) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [1494] 30/1/2022 -- 08:40:19 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 22090 signatures processed. 7 are IP-only rules, 3944 are inspecting packet payload, 18100 inspect application layer, 0 are decoder event only [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'lo': Operation not supported (95) [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:51 - (unix-manager.c:132) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket' [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1888) <Notice> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started. [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1783) <Error> (AFPComputeRingParamsV3) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Block size is too small, it should be at least 65648 [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1500) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1807) <Error> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp0s3 failed

[pevma]

Have you done any config changes ?

-- Regards, Peter Manev

On 30 Jan 2022, at 14:54, CindyStudyEveryday @.***> wrote:

 okok

[1494] 30/1/2022 -- 08:40:12 - (log-pcap.c:1427) (PcapLogInitCtx) -- using multi logging [1494] 30/1/2022 -- 08:40:12 - (util-logopenfile.c:474) (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [1494] 30/1/2022 -- 08:40:12 - (util-conf.c:162) (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:12 - (reputation.c:636) (SRepInit) -- Loading reputation file: /etc/suricata/rules/scirius-iprep.list [1494] 30/1/2022 -- 08:40:19 - (detect-engine-loader.c:355) (SigLoadSignatures) -- 1 rule files processed. 22087 rules successfully loaded, 0 rules failed [1494] 30/1/2022 -- 08:40:19 - (util-threshold-config.c:1096) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [1494] 30/1/2022 -- 08:40:19 - (detect-engine-build.c:1416) (SigAddressPrepareStage1) -- 22090 signatures processed. 7 are IP-only rules, 3944 are inspecting packet payload, 18100 inspect application layer, 0 are decoder event only [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1535] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-ioctl.c:324) (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'lo': Operation not supported (95) [1494] 30/1/2022 -- 08:40:51 - (util-runmodes.c:274) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s) [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [1536] 30/1/2022 -- 08:40:51 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files. [1494] 30/1/2022 -- 08:40:51 - (util-conf.c:162) (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [1494] 30/1/2022 -- 08:40:51 - (unix-manager.c:132) (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket' [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1888) (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started. [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1783) (AFPComputeRingParamsV3) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Block size is too small, it should be at least 65648 [1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1500) (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [1494] 30/1/2022 -- 08:40:52 - (tm-threads.c:1807) (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp0s3 failed

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[CindyStudyEveryday]

To enable th evirtual machine system to connect to the Internet, I added some lines to '/etc/network/interfaces'. The following is what i add and is based on the host address.

auto enp0s3 iface enp0s3 inet dhcp address 192.168.1.8 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255

[pevma]

Thanks, I mean in terms of the suricata.yaml config ?

[CindyStudyEveryday]

There's no change for this file.

[pevma]

ok interesting. It is complaining about that the block size is not as expected

[1535] 30/1/2022 -- 08:40:52 - (source-af-packet.c:1783) (AFPComputeRingParamsV3) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Block size is too small, it should be at least 65648

Can you edit the /etc/suricata/selks6-interfaces-config.yaml file (if this is SELKS ISO install, aka not docker) and adjust the ring-size: value parameter to 80000, then restart the suricata process.