Unable to run Suricata Windows service at startup

Help
1

Hi.
I’m trying to run suricata at startup, so to be able to monitor the endpoints through Wazuh platform, but the execution of the suricata service seems to fail and stops.
In particular, if I open “services.msc” and search for Suricata service, it’s always not executing.
If I try to start it a popup message appears saying: “The Suricata service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other service or programs”.

I installed Suricata stable 6.0.9, and used the default configuration.
So everything is installed in C:\Program Files\Suricata (logs, rules, etc.).
I only changed the HOME_NET value in the suricata.yaml file to match my network configuration.

I tested the program by running (as administrator) the following code:
suricata -c suricata.yaml -i 192.168.50.99
which gives the following output:

23/1/2023 -- 16:15:19 - <Info> - Running as service: no
23/1/2023 -- 16:15:19 - <Info> - translated 192.168.50.99 to pcap device \Device\NPF_{61E3B87F-E9C0-4DCA-8DFA-E9F9FFB543CC}
23/1/2023 -- 16:15:19 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ikev2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named eve-log.ike
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named eve-log.quic
23/1/2023 -- 16:15:19 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
23/1/2023 -- 16:15:19 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.

And it starts writing in the eve.json file, which is the file I’m interesting in integrating in Wazuh.

However, the service does not run by itself.
I installed the service through this command:

suricata -c suricata.yaml -i 192.168.50.99 -l ./log -knone -vvv --service-install

I even tried to delete the service with:

sc delete suricata

and the creating it again with the command above, but it still shows the same error when trying to execute the service.

Does anyone have any suggestion on how to resolve this issue?

2

Can you try to run it manually again but this time pass -D and remove the -l /path/ on the command line? That would essentially be running it as a service in the background.

3

Thank you for the reply.
I’m not sure which command you are referring to, as the only one in which I used the -l option is the service install command.

Which one of the following you want me to run?

  1. the service install command with the -D option and the -l /path/ option removed?
suricata -c suricata.yaml -D -i <ip_address> -knone -vvv --service-install
  1. or the command for executing manually suricata?
suricata -c suricata.yaml -i <ip_address> -D

Thank you, please let me know.

4

Just the command like so :slight_smile:

suricata -c suricata.yaml -i <ip_address>  -D

Then see if the process does not disappear like you mentioned before.
I am not sure if it will work like that on Windows though - hence the request to try it out.

5

Thank you for the reply.
I tested the command and apparently it does not recognize the option.
Here you can see the input command and the output (I used cmd.exe btw):

C:\Program Files\Suricata>suricata -c suricata.yaml -i 192.168.50.64 -D
24/1/2023 -- 09:05:51 - <Info> - Running as service: no
24/1/2023 -- 09:05:51 - <Info> - translated 192.168.50.64 to pcap device \Device\NPF_{61E3B87F-E9C0-4DCA-8DFA-E9F9FFB543CC}
Suricata 6.0.9
USAGE: suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        --service-install                    : install as service
        --service-remove                     : remove service
        --service-change-params              : change service startup parameters
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v                                   : be more verbose (use multiple times to increase verbosity)
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --dump-features                      : display provided features
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
        --pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
        --pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --simulate-ips                       : force engine into IPS mode. Useful for QA
        --erf-in <path>                      : process an ERF file
        --set name=value                     : set a configuration value


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

suricata -c suricata.yaml -s signatures.rules -i eth0

C:\Program Files\Suricata>
6

Now I’m actually able to run the suricata service.

However, when rebooting the pc, the service is always deactivated at startup.
And I need to go to services.msc and run it from there. When it’s activated, the service runs till you shutdown the pc.

Why is that?

It’s already set to “Automatic” in the suricata service properties in services.msc.

I would like the service to be able to execute at startup by its own.
Is there any way I can achive this in Windows 10 22H2?

7

Thanks for checking and the feedback.
What changes were needed to run it as a service - out of curiosity ?

8

I just tried again deleting the service and installing it again. Afterwards, I also changed user ownership and set permissions for the suricata folder (C:\Program Files\Suricata), the log files and the configuration file. Finally I opened “Recovery” tab on the Suricata service properties and set up triggers for the fields “First attempt” and “Second attempt”. I set both of them to “Reboot”.

When I tested it again it worked and the service was able to start without presenting errors.
I’m not sure if it just needed one of the above modifications, but I will test it again in the next few days and let you know.
Anyway, the important thing is that now it can run in the background without the need of launching the command on the CMD.exe.

However, I still have to solve the issue that I described in my previous post.
When I boot (or reboot) the system I find the service is not running in the background. I have to go on services.msc and start it from there. When I start it, it runs without any issue for the whole time the pc is on.

Do you have any suggestion or recommendation for solving this issue?

9

Ok understood - than you for the feedback.
So basically you need a dependency - the interface should be up and available, then start the service - correct ? (everything else is sorted out)

10

Yes.
In fact, the service starts correctly at startup only if the network interface is up and have a network connection available to use.
So the idea would be to wait till the interface can connect to the network. Then start the Suricata service.

Any idea?

11

Try setting the service to “Automatic (Delayed Start)”

12

This is a little bit of an old post but i figured out a solution to op’s problem i think, try it out and let me know.
I had the same issue and it was because of the parameters. Now this is how i fixed it and its running on startup and no issues are present.

Firstly remove the current service using suricata:

suricata -c suricata.yaml -i <ip_address> --service-remove

Then reinstall the service:

suricata -c suricata.yaml -i <ip_address> --service-install

Finally change the parameters:

suricata -c suricata.yaml -i <ip_address> --service-change-params
13

Thank you for the feedback and for posting a solution.
What Windows OS version do you run ?