I recently ran into an issue installing Suricata on PFSense which took some time and a team effort to resolve. To save you time I am posting the resolution here.
Suricata installs without any errors but once you define your monitoring interface, the Suricata service starts and then stops. Restarting the service does not help in any way and on the PFSense system logs you are shown the following errors.
My colleague then found another error when viewing the actual Suricata logs which you find by navigating to Service – Suricata – Logs View and selecting the interface and suricata.log as shown below:
The error was:
<Error> — [ERRCODE: SC_ERR_INITIALIZATION(45)] – pid file ‘/var/run/suricata_ix047769.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_ix047769.pid. Aborting!
To resolve this issue go to the PFSense Command Prompt by navigating to Diagnostics – Command Prompt and then delete the file as detailed in the command using an rm -f command as shown below.
If you start Suricata now it will start again but then fail as the real issue is the ‘Stream Memory Cap‘ limit which you need to increase. You can read more about it here: https://forum.pfsense.org/index.php?topic=136805.0.
To do this navigate to Services – Suricata – Interfaces and click on the edit icon for the interface in question as per the image below.
Next click to the WAN Flow/Stream tab.
Scroll down until you find the Stream Engine Settings and then increase the memory for the Stream Memory Cap as shown below. In this instance the default was set to 64MB. I doubled it to 128MB and the issue persisted. Only when I doubled it again to 256MB did the problem resolve.
Once you have saved your changes return to Services – Suricata – Interfaces and start the service as shown in the image below
Thank you Frederic L for identifying the error logged in Suricata log file which led to the resolution of this issue.