SELKS icon indicating copy to clipboard operation
SELKS copied to clipboard

Published 20 hours ago verified publisher icon StamusNetworks

Keep getting the same problem with suricata

Open ngms17 opened this issue 3 years ago • 13 comments

Hi guys.

I keep getting the same problem with suricata.

Imagine if i start the suricata service today. It runs all ok, until let´s say tomorrow morning. When i go to check the suricata state it gives me Active(exited). I think the error is in the .pid file.

Update: Now i start the suricata service and after a few minutes states Active(exited) again. Logs dont show any errors.

Can you please help me solve this problem?

ngms17 avatar Dec 11 '20 12:12 ngms17

It seems it could be exiting due to an error . Can you please post the output of dpkg -l |grep suricata ?

pevma avatar Dec 11 '20 13:12 pevma

For now, it seems to be running ok. It has been running for over 1h. I found a possible solution by doubling the "strem-mem-cap".

I will keep this ticket open. Tomorrow if the error persist, i wil send you the output of that command.

ngms17 avatar Dec 11 '20 13:12 ngms17

Please let us know! Thank you!

pevma avatar Dec 11 '20 20:12 pevma

Well, it lasted 8h.

This is the output.

selks-user@suricata:~$ sudo dpkg -l | grep suricata ii suricata 1:2020100901-0stamus0 amd64 Suricata open source multi-thread IDS/IPS/NSM system.

ngms17 avatar Dec 11 '20 21:12 ngms17

Giving me this error now.

selks-user@suricata:~$ tail /var/log/suricata/suricata.log 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.10.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.10.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.16.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.12.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.15.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.4.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.13.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.12.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.11.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - <Info> - Error opening dump file /data/nsm//log.7.1607689431.pcap: Permission denied

ngms17 avatar Dec 11 '20 21:12 ngms17

Seems related to permissions ? Can you also please try to upgrade ? I just pushed new Suricata packages.

Thank you

-- Regards, Peter Manev

On 11 Dec 2020, at 22:40, ngms17 [email protected] wrote:

 Giving me this error now.

selks-user@suricata:~$ tail /var/log/suricata/suricata.log 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.10.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.10.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.16.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.12.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.15.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.4.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.13.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.12.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.11.1607689431.pcap: Permission denied 11/12/2020 -- 21:39:36 - - Error opening dump file /data/nsm//log.7.1607689431.pcap: Permission denied

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

pevma avatar Dec 11 '20 22:12 pevma

Sure, already making the upgrade,

Its very strange because i have a normal installation followed by your guides. First-time setup and upgrade

ngms17 avatar Dec 11 '20 22:12 ngms17

Suricata seems to be ok for now, but the permission error its still appearing

ngms17 avatar Dec 11 '20 22:12 ngms17

It seems it can not write the pcaps into that folder. What are the permissions of the folder?

-- Regards, Peter Manev

On 11 Dec 2020, at 23:30, ngms17 [email protected] wrote:

 Suricata seems to be ok for now, but the permission error its still appearing

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

pevma avatar Dec 12 '20 09:12 pevma

selks-user@suricata:~$ ls -ld /data/nsm drwxr-xr-x 2 logstash root 16384 Dec 11 20:27 /data/nsm

This are the permissions of the folder. And moloch is not receiving any data

ngms17 avatar Dec 12 '20 14:12 ngms17

It seems suricata can not write in the folder. Do you run it as a specific user ?

-- Regards, Peter Manev

On 12 Dec 2020, at 15:38, ngms17 [email protected] wrote:

 selks-user@suricata:~$ ls -ld /data/nsm drwxr-xr-x 2 logstash root 16384 Dec 11 20:27 /data/nsm

This are the permissions of the folder. And moloch is not receiving any data

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

pevma avatar Dec 12 '20 22:12 pevma

It`s running with user logstash, i guess

ngms17 avatar Dec 12 '20 22:12 ngms17

can you try chown logstash -R /data/nsm/ and share the output of

ls -lh /data/
ls -lh /data/nsm/

pevma avatar Dec 14 '20 07:12 pevma