Bug #15965
closed
pfSense UI fails to execute Surricata IPS/IDS cmds
0%
Description
Suricata was installed successfully but when we tried to Disable/Enable Suricata with Rule configuration changes - it was not actually executing the commands. However on UI it was showing the action happening. As a result we were not able to use the UI buttons/links of pfSense Firewall to manage suricata and Block/Unbock certain IP Addresses. We could finally disable it using the Cmd layer commands extended by pfSense UI - but using those linux commands directly via interface is dangerous. Need assistance in getting the right version of pfSense that has addressed these UI level bugs (especially encountered while setting up Suricata IPS/IDS).
Current Version Information >
2.7.2-RELEASE (amd64)
built on Wed Dec 6 12:10:00 PST 2023
FreeBSD 14.0-CURRENT
The system is on the latest version.
Updated by Jim Pingle 4 months ago
- Project changed from pfSense to pfSense Packages
- Category changed from Web Interface to Suricata
- Status changed from New to Incomplete
- Priority changed from Very High to Normal
- Release Notes deleted (
Default)
Please post on the forum for assistance with troubleshooting.
Updated by Bill Meeks 3 months ago
This sounds very much like a situation where the OP had a duplicate Suricata instance running on the interface. I call those duplicates "zombie instances" because they are running with PIDs unknown to the GUI and thus cannot be controlled by the GUI and do not respond to changes made in the GUI.
The solution in this circumstance is to find and kill the zombie instance(s) or else just reboot the firewall. You can find the zombie instances by using the GUI tools to stop all known running instances of Suricata, then grep the process list for any remaining suricata processes. Kill any Suricata process IDs that remain.