Suricata package does not survive pfSense upgrade.
After running a firmware update, between snapshots for example, the Suricata will no longer start.
This was discussed here:
The solution found there still restores functionality:
/etc/rc.d/ldconfig start; ldd /usr/local/bin/suricata
I am now seeing this on x86 and ARM devices.
#6 Updated by James Dekker about 1 year ago
Install 2.4.4.a.20180810.1914 recovery snapshot for SG-3100. Install Suricata, enable some sources, update, add and enable WAN interace with some rules. Start the interface, it will run. Upgrade to the latest 2.4.4 snapshot (2.4.4.a.20180817.1114 as I type this). Once the upgrade completes try to start the service, it will not start.
#7 Updated by Chris Macmahon about 1 year ago
- File config-pfSense.localdomain-20180819104256.xml config-pfSense.localdomain-20180819104256.xml added
- File Screenshot from 2018-08-19 06-43-21.png Screenshot from 2018-08-19 06-43-21.png added
- File Screenshot from 2018-08-19 06-43-35.png Screenshot from 2018-08-19 06-43-35.png added
- File Screenshot from 2018-08-19 06-48-41.png Screenshot from 2018-08-19 06-48-41.png added
- File Screenshot from 2018-08-19 06-49-12.png Screenshot from 2018-08-19 06-49-12.png added
- File Screenshot from 2018-08-19 06-50-07.png Screenshot from 2018-08-19 06-50-07.png added
CE test base xml, and images attached.
installed suricata, installed, Install ETOpen Emerging Threats and The Snort Community Ruleset.
Enabled interface, verified it was running.
Updated to Base System 2.4.4.a.20180818.2240
After boot interface was not running.
Clicked the start button in the webgui, no change.
#8 Updated by Steve Wheeler about 1 year ago
Still seeing this. On ARM for example:
Installed packages to be UPGRADED: php72-pfSense-module: 0.62_6 -> 0.63_6 [pfSense] pfSense-u-boot-sg3100: 2.4.4.a.20180814.1655 -> 2.4.4.a.20180820.0415 [pfSense-core] pfSense-rc: 2.4.4.a.20180814.1655 -> 2.4.4.a.20180820.0415 [pfSense-core] pfSense-pkg-suricata: 4.0.13_2 -> 4.0.13_3 [pfSense] pfSense-kernel-pfSense-SG-3100: 2.4.4.a.20180814.1655 -> 2.4.4.a.20180820.0415 [pfSense-core] pfSense-default-config-serial: 2.4.4.a.20180814.1655 -> 2.4.4.a.20180820.0415 [pfSense-core] pfSense-base: 2.4.4.a.20180814.1655 -> 2.4.4.a.20180820.0415 [pfSense-core] pfSense: 2.4.4.a.20180814.1656 -> 2.4.4.a.20180819.1529 [pfSense]
Running "/etc/rc.d/ldconfig start; ldd /usr/local/bin/suricata" still allows it to start after that so the root cause appears the same.
Interestingly the Suricata package was updated there and that usually allows it to start normally after an upgrade but not this time.