Starting Suricata issue

Help
1

hello, I just have installed Suricata v5.0.3 on my ubuntu virtual machine, but whenever i check its status, it always fails to start:

emna@emna-VirtualBox:~$ sudo systemctl status suricata
× suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/etc/systemd/system/suricata.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-03-14 09:17:08 CET; 8s ago
    Process: 4334 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
    Process: 4335 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited,>
   Main PID: 4335 (code=exited, status=1/FAILURE)
        CPU: 23ms

مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --simulate-ips                       : force engine into IPS mode. Useful >
مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --user <user>                        : run suricata as this user after init
مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --group <group>                      : run suricata as this group after in>
مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --erf-in <path>                      : process an ERF file
مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --unix-socket[=<file>]               : use unix socket to control suricata>
مارس 14 09:17:08 emna-VirtualBox suricata[4335]:         --set name=value                     : set a configuration value
مارس 14 09:17:08 emna-VirtualBox suricata[4335]: To run the engine with default configuration on interface eth0 with signature file>
مارس 14 09:17:08 emna-VirtualBox suricata[4335]: /usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
مارس 14 09:17:08 emna-VirtualBox systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
مارس 14 09:17:08 emna-VirtualBox systemd[1]: suricata.service: Failed with result 'exit-code'.

Here’s what suricata.log shows:

emna@emna-VirtualBox:~$ sudo tail -f /var/log/suricata/suricata.log
13/3/2024 -- 23:08:45 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
13/3/2024 -- 23:08:45 - <Info> - CPUs/cores online: 2
13/3/2024 -- 23:08:45 - <Info> - Found an MTU of 1500 for 'enp0s3'
13/3/2024 -- 23:08:45 - <Info> - Found an MTU of 1500 for 'enp0s3'
13/3/2024 -- 23:08:45 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /run/suricata.pid. Aborting!
13/3/2024 -- 23:09:52 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
13/3/2024 -- 23:09:52 - <Info> - CPUs/cores online: 2
13/3/2024 -- 23:09:52 - <Info> - Found an MTU of 1500 for 'enp0s3'
13/3/2024 -- 23:09:52 - <Info> - Found an MTU of 1500 for 'enp0s3'
13/3/2024 -- 23:09:52 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /run/suricata.pid. Aborting!

even after stopping suricata, removing /run/suricata.pid and restarting it that issue persists. I also changed the eth0 interface name to enp0s3 in suricata.yaml but I still have the same problem. so could anyone help me please?

2

Hi,

how did you install Suricata? Suricata 5.0.3 is very old, the current stable is 7.0.3 and the last old stable is 6.0.16 (which will go EOL).

How does your config file look like and how does the systemd service fie look like?

What version of Ubuntu do you use?

1 Like
3

-i installed it using the following command:
sudo wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz
i used tar to extract it and then i installed all necessary packages. I actually tried to install suricata 7.0.3 and i had the same problem as well, so I thought that it could be a version issue, thats why i switched to 5.0.3, yet still…

-i actually dont have a systemd service file, but here’s what the directory shows:

emna@emna-VirtualBox:~$ ls /etc/systemd
journald.conf  network        oomd.conf    resolved.conf  system       timesyncd.conf  user.conf
logind.conf    networkd.conf  pstore.conf  sleep.conf     system.conf  user

and here are the configuration files I have:
config.log (160.4 KB)
config.h (18.1 KB)
suricata.yaml (68.8 KB)

-I am using ubuntu 22.04

4

This is the service file that you seem to have installed/setup. You need to adjust it to your use case.
What you could do in the first place to skip that part and do a manual run of Suricata and see if it works and also check the output.

What type of runmode do you want to use? You might also want to adjust the suricata.yaml to use your actual network interface instead of eth0 which is in the config file by default.