There are no logs when Suricata daemons are stopped/started

Security Intrusion Prevention
1

Good morning.

I’ve noticed that Suricata isn’t showing activity in “Logs → IPS Logs” when running the following commands:

/etc/rc.d/init.d/suricata stop
You wait a few seconds to give him time…
/etc/rc.d/init.d/suricata start

Or by running:

/usr/local/bin/suricatactrl stop
You wait a few seconds to give him time…
/usr/local/bin/suricatactrl start

I have tried this last command (suricatactrl) with the parameters “reload”, “restart”, without positive results.

Apparently everything starts fine but it takes a while to load the rules (which can be understood) but after waiting a reasonable amount of time (15 minutes), nothing appears in the Logs.

Waiting this time, I notice that the loaded memory reaches 323.54 MB or so:

imagen

If after this time, I press the “Save” button from the GUI, the loaded memory increases to 435.48 MB and then, it begins recording in the Logs:

imagen

In short, to log Suricata once it’s stopped/started, you have to press “Save” from the GUI.

What is executed when the “Save” button is pressed?.

Bye.

2

Hi Roberto.

Two different sorts of logs.

The Logs - IPS Logs shows the IPS rules that have been triggered by something.

For the start up, rules loading etc then you need to look in Logs - System Logs - then in the Section: drop down box select Intrysion Prevention and then press the Update button. This shows all the rule reloads, any rules that were not loaded due to an error in them etc.

3

Thanks Adolf for your quicky response.

It is this time:

{A50E7998-E5F9-415A-9864-B525BCCE6FB0}

The last registration is at:

imagen
imagen964×397 5.98 KB

In System Logs, it appears as if everything is loaded:

IDS system Logs.zip (8,1 KB)

The memory is:

imagen

If I press the save button right now:

imagen

And:

imagen
imagen974×602 8.81 KB

And System IDS Logs:

IDS system Logs working.zip (8,4 KB)

It’s very strange, isn’t it?.

A bug?.

Bye.

4

I am not sure that I am understanding what you are seeing as a problem.

Looking at the difference between the two system logs after you pressed Save, it reloaded the signatures that you have selected.

14:52:54 suricata:  rule reload complete
14:52:47 suricata:  flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
14:52:47 suricata:  flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 0 other sigs
14:52:47 suricata:  flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
14:52:47 suricata:  flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs
14:52:47 suricata:  flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
14:52:47 suricata:  flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.PROPFIND' is checked but not set. Checked in 2049438 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.PS.Download' is checked but not set. Checked in 2032169 and 3 other sigs
14:52:47 suricata:  flowbit 'ET.bit.do.shortener' is checked but not set. Checked in 2029550 and 0 other sigs
14:52:47 suricata:  flowbit 'http.dottedquadhost' is checked but not set. Checked in 2021076 and 0 other sigs
14:52:47 suricata:  flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2018428 and 1 other sigs
14:52:47 suricata:  flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 9 other sigs
14:52:47 suricata:  flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
14:52:47 suricata:  flowbit 'ET.WebDAVURL' is checked but not set. Checked in 2049320 and 2 other sigs
14:52:47 suricata:  flowbit 'ET.BunnyLoader.Heartbeat' is checked but not set. Checked in 2048403 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.IIS-Raid.PING' is checked but not set. Checked in 2046175 and 0 other sigs
14:52:47 suricata:  flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 11 other sigs
14:52:47 suricata:  flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
14:52:47 suricata:  flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
14:52:47 suricata:  flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
14:52:47 suricata:  flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
14:52:47 suricata:  flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
14:52:47 suricata:  flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
14:52:47 suricata:  flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
14:52:47 suricata:  flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
14:52:47 suricata:  flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
14:52:47 suricata:  flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
14:52:47 suricata:  26309 signatures processed. 1231 are IP-only rules, 3159 are inspecting packet payload, 21892 inspect application layer, 0 are decoder event only
14:52:47 suricata:  Threshold config parsed: 0 rule(s) found
14:52:47 suricata:  24 rule files processed. 26309 rules successfully loaded, 0 rules failed, 0
14:52:05 suricata:  Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
14:52:05 suricata:  Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
14:52:05 suricata:  Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
14:52:05 suricata:  Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
14:52:05 suricata:  rule reload starting

It says that 24 rule files were processed and 26309 rules successfully loaded and 0 rules failed.

Then there are many lines where a rule is checking for a flowbit but it has not been set.

When signature writers create a rule, if they are creating a set of rules then they can set the flowbit in only one of them and check in all the rules. However this then requires that all the rules from that set are all enabled. That is not a bug from IPFire but from the signature writers. I don’t believe it gives a problem, just the message.

Are you saying that you have a problem that your current time was 14:47 but your last IPS rule trigger was at 14:34? That just means that in the 13 minutes in between there were no triggers.

Currently my system is sitting at no triggers for the last 6 minutes and the one before that was 16 minutes prior to that and that is with Suricata turned on for all the interfaces.

If the above is not your concern then please let me know.

5

Hi Adolf.

One test is to stop/start Suricata using SSH and nothing else. Doing this alone doesn’t log anything.

If you then press “Save,” it starts logging.

Shouldn’t it start logging when you stop and then start the “suricata” process?

I’m not sure I’m explaining myself correctly.

Thanks for the effort.

6

HI again Adolf.

Does it work on your IPFire?

The steps are as follows:

  1. Stop Suricata from SSH:

/usr/local/bin/suricatactrl stop

  1. Wait 30 seconds to give it time.

  2. Start Suricata from SSH:

/usr/local/bin/suricatactrl start

  1. After a while, and seeing that Suricata’s memory isn’t increasing, check if the logs are being recorded in “Logs → IPS Logs”.

If it works for you, I’ll have the problem only on my IPFire.

Thanks.

7

I stopped suricata with /usr/local/suricatactrl stop

System logs showed

17:13:11 suricata:  (W-NFQ#3) Verdict: Accepted 174040, Dropped 171, Replaced 0
17:13:11 suricata:  (W-NFQ#3) Treated: Pkts 174211, Bytes 174746469, Errors 0
17:13:11 suricata:  (W-NFQ#2) Verdict: Accepted 80938, Dropped 139, Replaced 0
17:13:11 suricata:  (W-NFQ#2) Treated: Pkts 81077, Bytes 76103777, Errors 0
17:13:11 suricata:  (W-NFQ#1) Verdict: Accepted 112400, Dropped 69, Replaced 0
17:13:11 suricata:  (W-NFQ#1) Treated: Pkts 112469, Bytes 96119546, Errors 0
17:13:11 suricata:  (W-NFQ#0) Verdict: Accepted 246979, Dropped 288, Replaced 0
17:13:11 suricata:  (W-NFQ#0) Treated: Pkts 247267, Bytes 253652340, Errors 0
17:13:10 suricata:  time elapsed 12929.488s
17:13:09 suricata:  Signal Received.  Stopping engine.

So engine was stopped at 17:13:11

Then I waited for around a minute and then ran
/usr/local/bin/suricatactrl start

After memory level for suricata was no longer increasing the system logs showed


17:16:51 suricata:  Signature(s) loaded, Detect thread(s) activated.
17:16:51 suricata:  rule reload complete
17:14:59 suricata:  flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
17:14:59 suricata:  flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2023313 and 0 other sigs
17:14:59 suricata:  flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.SW.Bookmark' is checked but not set. Checked in 2061729 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.implantjs.syn' is checked but not set. Checked in 2060257 and 2 other sigs
17:14:59 suricata:  flowbit 'ET.BunnyLoader.Checkin' is checked but not set. Checked in 2048398 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.generictelegram' is checked but not set. Checked in 2045614 and 0 other sigs
17:14:59 suricata:  flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
17:14:59 suricata:  flowbit 'ET.armwget' is checked but not set. Checked in 2024242 and 0 other sigs
17:14:59 suricata:  flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
17:14:59 suricata:  flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
17:14:59 suricata:  flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
17:14:59 suricata:  flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
17:14:59 suricata:  flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
17:14:59 suricata:  flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
17:14:59 suricata:  flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
17:14:59 suricata:  flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 3 other sigs
17:14:59 suricata:  flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017247 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
17:14:59 suricata:  flowbit 'ET.ZIP.Symlink.Inbound' is checked but not set. Checked in 2059742 and 2 other sigs
17:14:59 suricata:  flowbit 'dcerpc.rpcnetlogon' is checked but not set. Checked in 2030870 and 6 other sigs
17:14:59 suricata:  flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
17:14:59 suricata:  flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
17:14:59 suricata:  flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 5 other sigs
17:14:59 suricata:  flowbit 'ET.http.binary' is checked but not set. Checked in 2019421 and 5 other sigs
17:14:59 suricata:  29439 signatures processed. 0 are IP-only rules, 2715 are inspecting packet payload, 26694 inspect application layer, 0 are decoder event only
17:14:58 suricata:  Threshold config parsed: 0 rule(s) found
17:14:58 suricata:  14 rule files processed. 29439 rules successfully loaded, 0 rules failed, 0
17:14:13 suricata:  Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
17:14:13 suricata:  Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
17:14:13 suricata:  Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
17:14:13 suricata:  Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
17:14:13 suricata:  rule reload starting
17:14:13 suricata:  Threads created -> W: 4 FM: 1 FR: 1   Engine started.
17:14:13 suricata:  setting nfnl bufsize to 6144000
17:14:13 suricata:  setting queue length to 4096
17:14:13 suricata:  binding this thread 3 to queue '3'
17:14:13 suricata:  setting nfnl bufsize to 6144000
17:14:13 suricata:  setting queue length to 4096
17:14:13 suricata:  binding this thread 2 to queue '2'
17:14:13 suricata:  setting nfnl bufsize to 6144000
17:14:13 suricata:  setting queue length to 4096
17:14:13 suricata:  binding this thread 1 to queue '1'
17:14:13 suricata:  setting nfnl bufsize to 6144000
17:14:13 suricata:  setting queue length to 4096
17:14:13 suricata:  binding this thread 0 to queue '0'
17:14:13 suricata:  Packets will start being processed before signatures are active.
17:14:13 suricata:  fast output device (regular) initialized: fast.log
17:14:13 suricata:  dropped the caps for main thread
17:14:13 suricata:  NFQ running in REPEAT mode with mark 2147483648/2147483648
17:14:13 suricata:  HTTP memcap: 268435456
17:14:13 suricata:  master exception-policy set to: pass-packet
17:14:13 suricata:  CPUs/cores online: 4
17:14:13 suricata:  This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

So the rule reload was complete at 17:16:51

Before I stopped suricata the last entry in the IPS Logs entry was at 17:07:06

After suricata was back running I then got three entries after the 17:16:51 time at which the suricata rules were fully reloaded.

Screenshot_2025-06-19_17-24-09
Screenshot_2025-06-19_17-24-091035×774 58.9 KB

So Suricata seems to be working for me.

You can test if Suricata is working or not by doing the following.

Add the Emerging Threats Community provider if you don’t have it already.

Then select the emerging-attack_response.rules

The testing rule is selected by default and is called

GPL ATTACK_RESPONSE id check returned root

and then from a machine on your green network (presuming you have the Green interface selected on the IDS WUI page) run the following command.

curl http://testmynids.org/uid/index.html

It will not complete as the command will be blocked so you will need to do a Ctrl-C to get back to your terminal line.

Your IPS Logs will now contain the following log response

Screenshot_2025-06-19_17-37-46
Screenshot_2025-06-19_17-37-461004×443 24.5 KB

This is a standard test function that is described in the Suricata documentation
https://docs.suricata.io/en/latest/quickstart.html#alerting

If you get the log response then everything is working as intended but you are not getting very many traffic attempts that are getting triggered.

If you don’t get that log response then more investigation is needed.

1 Like
8

Hi Adolf.

Thank you very much, Adolf, for checking that it works. The problem is most likely with my IPFire, since it’s mounted on a FriendlyElec NanoPi R4S with a MicroSD card.

I’ll try it on a more powerful computer.

Best regards, and thanks again.

1 Like
9

Hi @bonnietwin.

Well, it turns out the problem, as you rightly said, isn’t with Suricata. It’s the execution order of a script I have, which ultimately restarts the firewall, and that restart seems to stop Suricata from loading rules.

I also learn from these things.

Best regards, and have a great Sunday.

1 Like