Suricata from packages

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Suricata from packages

Eric Zylstra
OpenBSD 6.6 Generic.MP amd64
Stable.

I installed suricata using pkg_add.  Having trouble with starting it.

$ doas rcctl start suricata
…fails.  No informative fail message, though.

I’ve tried finding info in logs.  Nothing informative in suricata logs nor /var/log/messages.

$ doas /usr/local/bin/suricata -D
…succeeds.  It runs fine.  That is the same command in the /etc/rc.d/suricata.

Pointers?  Suggestions?  Specific details?

Thanks,

Eric Z

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Antoine Jacoutot-7
On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
> OpenBSD 6.6 Generic.MP amd64
> Stable.
>
> I installed suricata using pkg_add.  Having trouble with starting it.
>
> $ doas rcctl start suricata
> …fails.  No informative fail message, though.

Run rcctl in debug mode.


>
> I’ve tried finding info in logs.  Nothing informative in suricata logs nor /var/log/messages.
>
> $ doas /usr/local/bin/suricata -D
> …succeeds.  It runs fine.  That is the same command in the /etc/rc.d/suricata.
>
> Pointers?  Suggestions?  Specific details?
>
> Thanks,
>
> Eric Z
>

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Eric Zylstra


> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]> wrote:
>
> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>> OpenBSD 6.6 Generic.MP amd64
>> Stable.
>>
>> I installed suricata using pkg_add.  Having trouble with starting it.
>>
>> $ doas rcctl start suricata
>> …fails.  No informative fail message, though.
>
> Run rcctl in debug mode.

Notable that man rcctl(8) does not contain the word “debug”.  I had to do a web search to confirm the -d argument was what I needed to get debug output.


$ doas rcctl -d start suricata
doas ([hidden email].) password:
doing _rc_parse_conf
doing _rc_quirks
suricata_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/suricata
doing _rc_quirks
doing rc_check
suricata
doing rc_start
doing _rc_wait start
doing rc_check
Suricata 4.1.5
USAGE: /usr/local/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -d <divert port>                     : run in inline ipfw divert mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v[v]                                : increase default Suricata verbosity
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
        --pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --simulate-ips                       : force engine into IPS mode. Useful for QA
        --erf-in <path>                      : process an ERF file
        --unix-socket[=<file>]               : use unix socket to control suricata work
        --set name=value                     : set a configuration value


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/local/bin/suricata -c suricata.yaml -s signatures.rules -i eth0

doing _rc_rm_runfile
(failed)


>
>
>>
>> I’ve tried finding info in logs.  Nothing informative in suricata logs nor /var/log/messages.
>>
>> $ doas /usr/local/bin/suricata -D
>> …succeeds.  It runs fine.  That is the same command in the /etc/rc.d/suricata.
>>
>> Pointers?  Suggestions?  Specific details?
>>
>> Thanks,
>>
>> Eric Z
>>
>
> --
> Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Eric Zylstra

> On Jan 18, 2020, at 9:08 AM, Eric Zylstra <[hidden email]> wrote:
>
>
>
>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>> OpenBSD 6.6 Generic.MP amd64
>>> Stable.
>>>
>>> I installed suricata using pkg_add.  Having trouble with starting it.
>>>
>>> $ doas rcctl start suricata
>>> …fails.  No informative fail message, though.
>>

I get the same result with a clean OBSD 6.6 install.


>> Run rcctl in debug mode.
>
> Notable that man rcctl(8) does not contain the word “debug”.  I had to do a web search to confirm the -d argument was what I needed to get debug output.
>
>
> $ doas rcctl -d start suricata
> doas ([hidden email] <mailto:[hidden email]>.) password:
> doing _rc_parse_conf
> doing _rc_quirks
> suricata_flags empty, using default ><
> doing _rc_parse_conf /var/run/rc.d/suricata
> doing _rc_quirks
> doing rc_check
> suricata
> doing rc_start
> doing _rc_wait start
> doing rc_check
> Suricata 4.1.5
> USAGE: /usr/local/bin/suricata [OPTIONS] [BPF FILTER]
>
> -c <path>                            : path to configuration file
> -T                                   : test configuration file (use with -c)
> -i <dev or ip>                       : run in pcap live mode
> -F <bpf filter file>                 : bpf filter file
> -r <path>                            : run in pcap file/offline mode
> -d <divert port>                     : run in inline ipfw divert mode
> -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
> -S <path>                            : path to signature file loaded exclusively (optional)
> -l <dir>                             : default log directory
> -D                                   : run as daemon
> -k [all|none]                        : force checksum check (all) or disabled it (none)
> -V                                   : display Suricata version
> -v[v]                                : increase default Suricata verbosity
> --list-app-layer-protos              : list supported app layer protocols
> --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
> --list-runmodes                      : list supported runmodes
> --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
>                                       supplied should be the id for the runmode obtained by running
>                                       --list-runmodes
> --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
>                                       Please have a look at the conf parameter engine-analysis on what reports
>                                       can be printed
> --pidfile <file>                     : write pid to this file
> --init-errors-fatal                  : enable fatal failure on signature init error
> --disable-detection                  : disable detection engine
> --dump-config                        : show the running configuration
> --build-info                         : display build information
> --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
> --pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
> --pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
> --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
> --simulate-ips                       : force engine into IPS mode. Useful for QA
> --erf-in <path>                      : process an ERF file
> --unix-socket[=<file>]               : use unix socket to control suricata work
> --set name=value                     : set a configuration value
>
>
> To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
>
> /usr/local/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
>
> doing _rc_rm_runfile
> (failed)
>

The complaint appears to be that the invocation of suricata in the rc file isn’t proper.  If I use the exact command on the command line, it works.  This feels like a problem with the package.  Am I the only one trying suricata, or the only one triggering the issue?

EZ

>
>>
>>
>>>
>>> I’ve tried finding info in logs.  Nothing informative in suricata logs nor /var/log/messages.
>>>
>>> $ doas /usr/local/bin/suricata -D
>>> …succeeds.  It runs fine.  That is the same command in the /etc/rc.d/suricata.
>>>
>>> Pointers?  Suggestions?  Specific details?
>>>
>>> Thanks,
>>>
>>> Eric Z
>>>
>>
>> --
>> Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Stuart Henderson
In reply to this post by Eric Zylstra
On 2020-01-18, Eric Zylstra <[hidden email]> wrote:
>
>
>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]> wrote:
>>
>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>> OpenBSD 6.6 Generic.MP amd64
>>> Stable.
>>>
>>> I installed suricata using pkg_add.  Having trouble with starting it.

pkg_add pointed you at the pkg-readme file when you installed suricata.
Did you follow the instructions in that file?


Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

b2s2d
In reply to this post by Eric Zylstra
On 2020-01-18 07:08, Eric Zylstra wrote:

>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]>
>> wrote:
>>
>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>> OpenBSD 6.6 Generic.MP amd64
>>> Stable.
>>>
>>> I installed suricata using pkg_add.  Having trouble with starting it.
>>>
>>> $ doas rcctl start suricata
>>> …fails.  No informative fail message, though.
>>
>> Run rcctl in debug mode.
>
> Notable that man rcctl(8) does not contain the word “debug”.  I had to
> do a web search to confirm the -d argument was what I needed to get
> debug output.
>
>


Greetings,

I use Suricata from Packages for a while now. No real changes to
configs.
I don't use /etc/rc.d/suricata at all.


To START suricata in live mode -
Do this (as root):

#suricata -v -c /etc/suricata/suricata.yaml -i em0 &

(please substitute your collection I/F as needed. Mine is em0 as in the
example above)

Let that stew for a while but you can hit enter to get back to your
prompt.


To STOP suricata: pgrep suricata and kill -9 the pid returned.

If I may add:
Be sure to keep an eye on your logs as they will grow beyond bounds
(/var/logs/suricata/). I generate eve.json at about 6GB in size in about
10 days.

Regards,
Zann

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

b2s2d
In reply to this post by Eric Zylstra
On 2020-01-18 07:08, Eric Zylstra wrote:

>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]>
>> wrote:
>>
>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>> OpenBSD 6.6 Generic.MP amd64
>>> Stable.
>>>
>>> I installed suricata using pkg_add.  Having trouble with starting it.
>>>
>>> $ doas rcctl start suricata
>>> …fails.  No informative fail message, though.
>>
>> Run rcctl in debug mode.
>
> Notable that man rcctl(8) does not contain the word “debug”.  I had to
> do a web search to confirm the -d argument was what I needed to get
> debug output.
>
>




Greetings,

I use Suricata from Packages for a while now. No real changes to
configs.
I don't use /etc/rc.d/suricata at all.


To START suricata in live mode -
Do this (as root):

#suricata -v -c /etc/suricata/suricata.yaml -i em0 &

(please substitute your collection I/F as needed. Mine is em0 as in the
example above)

Let that stew for a while but you can hit enter to get back to your
prompt.


To STOP suricata: pgrep suricata and kill -9 the pid returned.

If I may add:
Be sure to keep an eye on your logs as they will grow beyond bounds
(/var/logs/suricata/). I generate eve.json at about 6GB in size in about
10 days.

Regards,
Zann

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Eric Zylstra
In reply to this post by Stuart Henderson


> On Jan 21, 2020, at 1:45 PM, Stuart Henderson <[hidden email]> wrote:
>
> On 2020-01-18, Eric Zylstra <[hidden email]> wrote:
>>
>>
>>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]> wrote:
>>>
>>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>>> OpenBSD 6.6 Generic.MP amd64
>>>> Stable.
>>>>
>>>> I installed suricata using pkg_add.  Having trouble with starting it.
>
> pkg_add pointed you at the pkg-readme file when you installed suricata.
> Did you follow the instructions in that file?
>
>

The file /usr/local/share/doc/suricata/README is an empty file.

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Stuart Henderson
On 2020/01/21 15:40, Eric Zylstra wrote:

>
>
> > On Jan 21, 2020, at 1:45 PM, Stuart Henderson <[hidden email]> wrote:
> >
> > On 2020-01-18, Eric Zylstra <[hidden email]> wrote:
> >>
> >>
> >>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]> wrote:
> >>>
> >>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
> >>>> OpenBSD 6.6 Generic.MP amd64
> >>>> Stable.
> >>>>
> >>>> I installed suricata using pkg_add.  Having trouble with starting it.
> >
> > pkg_add pointed you at the pkg-readme file when you installed suricata.
> > Did you follow the instructions in that file?
> >
> >
>
> The file /usr/local/share/doc/suricata/README is an empty file.

Hmm, yes all the files in /usr/local/share/doc/suricata seem completely
useless in the current version.

$ grep -R . /usr/local/share/doc/suricata
/usr/local/share/doc/suricata/NEWS:https://suricata-ids.org/news/
/usr/local/share/doc/suricata/TODO:Plenty, and you're welcome to help!
/usr/local/share/doc/suricata/TODO:https://suricata-ids.org/participate/
/usr/local/share/doc/suricata/AUTHORS:Team:
/usr/local/share/doc/suricata/AUTHORS:https://suricata-ids.org/about/team/
/usr/local/share/doc/suricata/AUTHORS:All contributors:
/usr/local/share/doc/suricata/AUTHORS:https://www.ohloh.net/p/suricata-engine/contributors/summary

CC'ing port maintainers, can I just remove them? (Diff below).

I am pretty certain that the OpenBSD-specific pkg-readme (which you let me know
you found after writing this mail) has enough to fix the problem you're
running into.


Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
retrieving revision 1.27
diff -u -p -r1.27 Makefile
--- Makefile 16 Dec 2019 15:33:27 -0000 1.27
+++ Makefile 21 Jan 2020 21:55:02 -0000
@@ -4,6 +4,7 @@ COMMENT = high performance network IDS,
 
 SURICATA_V = 5.0.1
 SUPDATE_V = 1.1.1
+REVISION = 0
 
 DISTNAME = suricata-${SURICATA_V}
 CATEGORIES = security
@@ -72,8 +73,6 @@ post-install:
  ${INSTALL_DATA} ${WRKSRC}/*.config ${PREFIX}/share/examples/suricata
  ${INSTALL_DATA} ${WRKSRC}/suricata.yaml ${PREFIX}/share/examples/suricata
  ${INSTALL_DATA} ${WRKSRC}/rules/*.rules ${PREFIX}/share/examples/suricata/rules
- rm ${PREFIX}/share/doc/suricata/{*.txt,GITGUIDE,INSTALL*}
- ${INSTALL_DATA} ${WRKSRC}/doc/{AUTHORS,NEWS,README,TODO} \
- ${PREFIX}/share/doc/suricata
+ rm -r ${PREFIX}/share/doc/suricata # nothing particularly useful in there as of 5.0.1
 
 .include <bsd.port.mk>
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/suricata/pkg/PLIST,v
retrieving revision 1.11
diff -u -p -r1.11 PLIST
--- pkg/PLIST 16 Dec 2019 15:33:27 -0000 1.11
+++ pkg/PLIST 21 Jan 2020 21:55:02 -0000
@@ -150,11 +150,6 @@ ${MODPY_COMMENT}lib/python${MODPY_VERSIO
 lib/python${MODPY_VERSION}/site-packages/suricatasc/${MODPY_PYCACHE}__init__.${MODPY_PYC_MAGIC_TAG}pyc
 @man man/man1/suricata.1
 share/doc/pkg-readmes/${PKGSTEM}
-share/doc/suricata/
-share/doc/suricata/AUTHORS
-share/doc/suricata/NEWS
-share/doc/suricata/README
-share/doc/suricata/TODO
 @sample ${SYSCONFDIR}/suricata/
 @sample ${SYSCONFDIR}/suricata/rules/
 share/examples/suricata/




Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Eric Zylstra
The pkg-readme was perfect.  Concise and all I need to know.  Two minutes and I’m good to go.

Thanks all!

EZ


Sent from my iPhone

> On Jan 21, 2020, at 3:59 PM, Stuart Henderson <[hidden email]> wrote:
>
> On 2020/01/21 15:40, Eric Zylstra wrote:
>>
>>
>>>> On Jan 21, 2020, at 1:45 PM, Stuart Henderson <[hidden email]> wrote:
>>>
>>> On 2020-01-18, Eric Zylstra <[hidden email]> wrote:
>>>>
>>>>
>>>>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]> wrote:
>>>>>
>>>>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>>>>> OpenBSD 6.6 Generic.MP amd64
>>>>>> Stable.
>>>>>>
>>>>>> I installed suricata using pkg_add.  Having trouble with starting it.
>>>
>>> pkg_add pointed you at the pkg-readme file when you installed suricata.
>>> Did you follow the instructions in that file?
>>>
>>>
>>
>> The file /usr/local/share/doc/suricata/README is an empty file.
>
> Hmm, yes all the files in /usr/local/share/doc/suricata seem completely
> useless in the current version.
>
> $ grep -R . /usr/local/share/doc/suricata
> /usr/local/share/doc/suricata/NEWS:https://suricata-ids.org/news/
> /usr/local/share/doc/suricata/TODO:Plenty, and you're welcome to help!
> /usr/local/share/doc/suricata/TODO:https://suricata-ids.org/participate/
> /usr/local/share/doc/suricata/AUTHORS:Team:
> /usr/local/share/doc/suricata/AUTHORS:https://suricata-ids.org/about/team/
> /usr/local/share/doc/suricata/AUTHORS:All contributors:
> /usr/local/share/doc/suricata/AUTHORS:https://www.ohloh.net/p/suricata-engine/contributors/summary
>
> CC'ing port maintainers, can I just remove them? (Diff below).
>
> I am pretty certain that the OpenBSD-specific pkg-readme (which you let me know
> you found after writing this mail) has enough to fix the problem you're
> running into.
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/suricata/Makefile,v
> retrieving revision 1.27
> diff -u -p -r1.27 Makefile
> --- Makefile    16 Dec 2019 15:33:27 -0000    1.27
> +++ Makefile    21 Jan 2020 21:55:02 -0000
> @@ -4,6 +4,7 @@ COMMENT =    high performance network IDS,
>
> SURICATA_V =    5.0.1
> SUPDATE_V =    1.1.1
> +REVISION =    0
>
> DISTNAME =    suricata-${SURICATA_V}
> CATEGORIES =    security
> @@ -72,8 +73,6 @@ post-install:
>    ${INSTALL_DATA} ${WRKSRC}/*.config ${PREFIX}/share/examples/suricata
>    ${INSTALL_DATA} ${WRKSRC}/suricata.yaml ${PREFIX}/share/examples/suricata
>    ${INSTALL_DATA} ${WRKSRC}/rules/*.rules ${PREFIX}/share/examples/suricata/rules
> -    rm ${PREFIX}/share/doc/suricata/{*.txt,GITGUIDE,INSTALL*}
> -    ${INSTALL_DATA} ${WRKSRC}/doc/{AUTHORS,NEWS,README,TODO} \
> -        ${PREFIX}/share/doc/suricata
> +    rm -r ${PREFIX}/share/doc/suricata # nothing particularly useful in there as of 5.0.1
>
> .include <bsd.port.mk>
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/suricata/pkg/PLIST,v
> retrieving revision 1.11
> diff -u -p -r1.11 PLIST
> --- pkg/PLIST    16 Dec 2019 15:33:27 -0000    1.11
> +++ pkg/PLIST    21 Jan 2020 21:55:02 -0000
> @@ -150,11 +150,6 @@ ${MODPY_COMMENT}lib/python${MODPY_VERSIO
> lib/python${MODPY_VERSION}/site-packages/suricatasc/${MODPY_PYCACHE}__init__.${MODPY_PYC_MAGIC_TAG}pyc
> @man man/man1/suricata.1
> share/doc/pkg-readmes/${PKGSTEM}
> -share/doc/suricata/
> -share/doc/suricata/AUTHORS
> -share/doc/suricata/NEWS
> -share/doc/suricata/README
> -share/doc/suricata/TODO
> @sample ${SYSCONFDIR}/suricata/
> @sample ${SYSCONFDIR}/suricata/rules/
> share/examples/suricata/
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

Stuart Henderson
In reply to this post by b2s2d
On 2020-01-21, [hidden email] <[hidden email]> wrote:
> To START suricata in live mode -
> Do this (as root):
>
> #suricata -v -c /etc/suricata/suricata.yaml -i em0 &

Well, that's one way. Or you can use the OS mechanisms.

> To STOP suricata: pgrep suricata and kill -9 the pid returned.

Why pgrep then kill when you can just pkill?

-9 is a bit of a big hammer and doesn't give things a chance to close cleanly.

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

b2s2d
On 2020-01-21 18:49, Stuart Henderson wrote:

> On 2020-01-21, [hidden email] <[hidden email]> wrote:
>> To START suricata in live mode -
>> Do this (as root):
>>
>> #suricata -v -c /etc/suricata/suricata.yaml -i em0 &
>
> Well, that's one way. Or you can use the OS mechanisms.
>
>> To STOP suricata: pgrep suricata and kill -9 the pid returned.
>
> Why pgrep then kill when you can just pkill?
>
> -9 is a bit of a big hammer and doesn't give things a chance to close
> cleanly.

Noted. I will use pkill.

Thanks.

Zann

Reply | Threaded
Open this post in threaded view
|

Re: Suricata from packages

mymlact@gmx.com
In reply to this post by b2s2d
On 1/21/20 1:05 PM, [hidden email] wrote:

> On 2020-01-18 07:08, Eric Zylstra wrote:
>>> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[hidden email]>
>>> wrote:
>>>
>>> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>>>> OpenBSD 6.6 Generic.MP amd64
>>>> Stable.
>>>>
>>>> I installed suricata using pkg_add.  Having trouble with starting it.
>>>>
>>>> $ doas rcctl start suricata
>>>> …fails.  No informative fail message, though.
>>>
>>> Run rcctl in debug mode.
>>
>> Notable that man rcctl(8) does not contain the word “debug”.  I had to
>> do a web search to confirm the -d argument was what I needed to get
>> debug output.
>>
>>
>
>
>
>
> Greetings,
>
> I use Suricata from Packages for a while now. No real changes to configs.
> I don't use /etc/rc.d/suricata at all.
>
>
> To START suricata in live mode -
> Do this (as root):
>
> #suricata -v -c /etc/suricata/suricata.yaml -i em0 &
>
> (please substitute your collection I/F as needed. Mine is em0 as in the
> example above)
>
> Let that stew for a while but you can hit enter to get back to your prompt.
>
>
> To STOP suricata: pgrep suricata and kill -9 the pid returned.
>
> If I may add:
> Be sure to keep an eye on your logs as they will grow beyond bounds
> (/var/logs/suricata/). I generate eve.json at about 6GB in size in about
> 10 days.
>
> Regards,
> Zann
>
side question, i'll post a new thread if people prefer:

Suricata seems like a really interesting project but since it is
associated with homeland, is it trusted by the OBSD community?

Thanks.