> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <ajacou...@bsdfrog.org> wrote:
>
> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
>> OpenBSD 6.6 Generic.MP amd64
>> Stable.
>>
>> I installed suricata using pkg_add. Having trouble with starting it.
>>
>> $ doas rcctl start suricata
>> …fails. No informative fail message, though.
>
> Run rcctl in debug mode.
Notable that man rcctl(8) does not contain the word “debug”. I had to do a web
search to confirm the -d argument was what I needed to get debug output.
$ doas rcctl -d start suricata
doas (dixon@dixon.local.) password:
doing _rc_parse_conf
doing _rc_quirks
suricata_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/suricata
doing _rc_quirks
doing rc_check
suricata
doing rc_start
doing _rc_wait start
doing rc_check
Suricata 4.1.5
USAGE: /usr/local/bin/suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use
with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-d <divert port> : run in inline ipfw divert mode
-s <path> : path to signature file loaded in
addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded
exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or
disabled it (none)
-V : display Suricata version
-v[v] : increase default Suricata
verbosity
--list-app-layer-protos : list supported app layer
protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the
engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification
the engine should run. The argument
supplied should be the id for
the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of
different sections in the engine and exit.
Please have a look at the conf
parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on
signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value
select interfaces from suricata.yaml
--pcap-file-continuous : when running in pcap mode with a
directory, continue checking directory for pcaps until interrupted
--pcap-file-delete : when running in replay mode (-r
with directory or file), will delete pcap files that have been processed when
done
--pcap-buffer-size : size of the pcap buffer value
from 0 - 2147483647
--simulate-ips : force engine into IPS mode.
Useful for QA
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control
suricata work
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature
file "signatures.rules", run the command as:
/usr/local/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
doing _rc_rm_runfile
(failed)
>
>
>>
>> I’ve tried finding info in logs. Nothing informative in suricata logs nor
>> /var/log/messages.
>>
>> $ doas /usr/local/bin/suricata -D
>> …succeeds. It runs fine. That is the same command in the
>> /etc/rc.d/suricata.
>>
>> Pointers? Suggestions? Specific details?
>>
>> Thanks,
>>
>> Eric Z
>>
>
> --
> Antoine