Netgate SG-1000 microFirewall

Author Topic: Suricata fails to start  (Read 195 times)

0 Members and 1 Guest are viewing this topic.

Offline sb2

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Suricata fails to start
« on: December 24, 2017, 12:37:36 am »
Here is the raw output from suricata.log:
--------------------------------------------------



24/12/2017 -- 01:33:39 - <Notice> -- This is Suricata version 4.0.1 RELEASE
24/12/2017 -- 01:33:39 - <Info> -- CPUs/cores online: 8
24/12/2017 -- 01:33:39 - <Info> -- HTTP memcap: 67108864
24/12/2017 -- 01:33:39 - <Notice> -- using flow hash instead of active packets
24/12/2017 -- 01:33:47 - <Info> -- 2 rule files processed. 9690 rules successfully loaded, 0 rules failed
24/12/2017 -- 01:33:47 - <Info> -- Threshold config parsed: 0 rule(s) found
24/12/2017 -- 01:33:47 - <Info> -- 9690 signatures processed. 382 are IP-only rules, 3861 are inspecting packet payload, 6427 inspect application layer, 102 are decoder event only
24/12/2017 -- 01:33:57 - <Info> -- fast output device (regular) initialized: alerts.log
24/12/2017 -- 01:33:57 - <Info> -- http-log output device (regular) initialized: http.log
24/12/2017 -- 01:33:57 - <Info> -- tls-log output device (regular) initialized: tls.log
24/12/2017 -- 01:33:57 - <Info> -- stats output device (regular) initialized: stats.log
24/12/2017 -- 01:33:57 - <Info> -- dns-log output device (regular) initialized: dns.log
24/12/2017 -- 01:33:57 - <Info> -- dns-log output device (regular) initialized: dns.log
24/12/2017 -- 01:33:57 - <Info> -- Using 1 live device(s).
24/12/2017 -- 01:33:57 - <Info> -- using interface bce1
24/12/2017 -- 01:33:57 - <Info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
24/12/2017 -- 01:33:57 - <Info> -- Found an MTU of 1500 for 'bce1'
24/12/2017 -- 01:33:57 - <Info> -- Set snaplen to 1524 for 'bce1'
24/12/2017 -- 01:33:57 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
24/12/2017 -- 01:33:57 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
24/12/2017 -- 01:33:57 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
24/12/2017 -- 01:33:57 - <Info> -- RunModeIdsPcapAutoFp initialised
24/12/2017 -- 01:33:57 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
24/12/2017 -- 01:33:57 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

Offline ntct

  • Jr. Member
  • **
  • Posts: 65
  • Karma: +8/-0
    • View Profile
Re: Suricata fails to start
« Reply #1 on: December 24, 2017, 03:20:21 am »
Increase the memory for the Stream Memory Cap

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3227
  • Karma: +846/-0
    • View Profile
Re: Suricata fails to start
« Reply #2 on: December 24, 2017, 01:10:40 pm »
You have an eight-core CPU, so as @ntct says, increase the Stream Memcap value on the FLOW/STREAM tab to at least 256 MB and try to start again.  Keep increasing the value in 4 MB or 8 MB chunks until Suricata starts.  You can then try backing it down if you wish until it breaks, then bump it up slightly.  Some changes in the Suricata binary in a recent revision caused an increase in needed stream memory when using high core-count CPUs.  The old default of 32 MB is too low.

Bill