Hello,
I installed IPFire 2.23 - Core Update 138. After first configuration I had the IDS daemon stopped. I tried to start it, but I had this error on the log (from suricata):
[ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata.pid’ exists b ut appears stale. Make sure Suricata is not running and then remove /var/run/sur icata.pid. Aborting!
I deleted the file suricata.pid and I tried to restart the daemon without success. New error was:
[ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!
I have the same problem since the update to core 139 but do not get on how to proceed
my dns server is a local pi-hole registered as dns and has been running without problems for more than 1 year only since the new core 139 update no longer runs suricata
I searched for snort in the two files but found only suricata no snort
system protocol suricata
01:25:40 suricata: [ERRCODE: SC_ERR_FOPEN(44)] - Failed to open configuration include file /var/ipf ire/suricata/suricata-dns-servers.yaml: No such file or directory
01:25:40 suricata: [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - failed to load yaml /etc/suricata/suric ata.yaml
01:44:17 suricata: This is Suricata version 4.1.5 RELEASE
01:44:17 suricata: [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address “192.168. 1.16192.168.1.16”
01:44:17 suricata: [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var “DN S_SERVERS” with value “[192.168.1.16192.168.1.16]”. Please check it’s syntax
01:44:17 suricata: [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
01:46:27 suricata: This is Suricata version 4.1.5 RELEASE
01:46:27 suricata: [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address “192.168. 1.16192.168.1.16”
the “address string” in your “/var/ipfire/suricata/suricata-dns-servers.yaml” does not look right.
If you installed a test version of the latest core update (139) please set it back to 138 and update again, because this issue has been found and fixed during the testing of the core update. Then please do the same as described below to re-generate the file.
If you installed the final core 139 update please navigate to the suricata page in your WUI, disable the IDS -> Press “Save” -> Re-enable it and once again press the “Save” button. The file now should be re-generated, the declaration fixed and your IPS run smooth.
I did it as you said, deactivate and save it and then activate it again, unfortunately the same error
20:41:15
suricata:
This is Suricata version 4.1.5 RELEASE
20:41:15
suricata:
[ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address “192.168. 1.16192.168.1.16”
20:41:15
suricata:
[ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var “DN S_SERVERS” with value “[192.168.1.16192.168.1.16]”. Please check it’s syntax
20:41:15
suricata:
[ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Same problem here. I’ve updated this morning from 138 to 139. Then i’ve noticed that the IPS doesn’t run. Deactivate IPS - save - activate IPS - save didn’t work.
There seemes to be a missing space between the DNS-Servers in suricata.yaml.
Log:
10:45:04 suricata: This is Suricata version 4.1.5 RELEASE
10:45:04 suricata: [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var “DN S_SERVERS” with value “[192.168.178.1192.168.178.1]”. Please check it’s syntax
10:45:04 suricata: |ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Located the problem.
If both DNS-Servers have the same IP-Address, no space or comma will be inserted between them.
The section in the file var/ipfire/ids-functions.pl is:
Line 733ff (Function to generate and write the file which contains the configured and used DNS servers.)
# Check if the current DNS server was the last in the array.
if ($server ne $file_content[-1]) {
# Add "," for the next DNS server.
$line = "$line" . "\,";
}
Because of both DNS-Servers have the same Address there will never be inserted anything. The if condition will ever be false because $server is always $file_content[-1]
I’ve changed my secondary DNS-Server to Googles 8.8.8.8 and then the IPS is starting.
unfortunately that doesn’t solve my problem i use a pi-hole as dns and only have one pi-hole no second i have to enter two dns unfortunately and if i enter an external dns it goes past the pi-hole i want to avoid
Found a solution for two identical DNS-Servers which works for me.
Because of we are forced to enter two DNS-Servers in the WUI i have replaced the following code in var/ipfire/ids-functions.pl at line 724ff
} else {
# Loop through the array which contains the file content.
foreach my $server (@file_content) {
# Remove newlines.
chomp($server);
# Add the DNS server to the line.
$line = "$line" . "$server";
# Check if the current DNS server was the last in the array.
if ($server ne $file_content[-1]) {
# Add "," for the next DNS server.
$line = "$line" . "\,";
}
}
}
with these ones
} else {
# Add the DNS server to the line.
$line = "$line" . "$file_content[0]" . "\," . "$file_content[1]";
}
suricata-dns-servers.yaml looks now fine and IPS runs perfectly
#Autogenerated file. Any custom changes will be overwritten!
DNS_SERVERS: "[192.168.178.1,192.168.178.1]"
