> On Jan 18, 2020, at 9:08 AM, Eric Zylstra <[email protected]> wrote: > > > >> On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <[email protected] >> <mailto:[email protected]>> wrote: >> >> On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote: >>> OpenBSD 6.6 Generic.MP amd64 >>> Stable. >>> >>> I installed suricata using pkg_add. Having trouble with starting it. >>> >>> $ doas rcctl start suricata >>> …fails. No informative fail message, though. >>
I get the same result with a clean OBSD 6.6 install. >> Run rcctl in debug mode. > > Notable that man rcctl(8) does not contain the word “debug”. I had to do a > web search to confirm the -d argument was what I needed to get debug output. > > > $ doas rcctl -d start suricata > doas ([email protected] <mailto:[email protected]>.) password: > doing _rc_parse_conf > doing _rc_quirks > suricata_flags empty, using default >< > doing _rc_parse_conf /var/run/rc.d/suricata > doing _rc_quirks > doing rc_check > suricata > doing rc_start > doing _rc_wait start > doing rc_check > Suricata 4.1.5 > USAGE: /usr/local/bin/suricata [OPTIONS] [BPF FILTER] > > -c <path> : path to configuration file > -T : test configuration file (use > with -c) > -i <dev or ip> : run in pcap live mode > -F <bpf filter file> : bpf filter file > -r <path> : run in pcap file/offline mode > -d <divert port> : run in inline ipfw divert mode > -s <path> : path to signature file loaded in > addition to suricata.yaml settings (optional) > -S <path> : path to signature file loaded > exclusively (optional) > -l <dir> : default log directory > -D : run as daemon > -k [all|none] : force checksum check (all) or > disabled it (none) > -V : display Suricata version > -v[v] : increase default Suricata > verbosity > --list-app-layer-protos : list supported app layer > protocols > --list-keywords[=all|csv|<kword>] : list keywords implemented by the > engine > --list-runmodes : list supported runmodes > --runmode <runmode_id> : specific runmode modification > the engine should run. The argument > supplied should be the id for > the runmode obtained by running > --list-runmodes > --engine-analysis : print reports on analysis of > different sections in the engine and exit. > Please have a look at the conf > parameter engine-analysis on what reports > can be printed > --pidfile <file> : write pid to this file > --init-errors-fatal : enable fatal failure on > signature init error > --disable-detection : disable detection engine > --dump-config : show the running configuration > --build-info : display build information > --pcap[=<dev>] : run in pcap mode, no value > select interfaces from suricata.yaml > --pcap-file-continuous : when running in pcap mode with a > directory, continue checking directory for pcaps until interrupted > --pcap-file-delete : when running in replay mode (-r > with directory or file), will delete pcap files that have been processed when > done > --pcap-buffer-size : size of the pcap buffer value > from 0 - 2147483647 > --simulate-ips : force engine into IPS mode. > Useful for QA > --erf-in <path> : process an ERF file > --unix-socket[=<file>] : use unix socket to control > suricata work > --set name=value : set a configuration value > > > To run the engine with default configuration on interface eth0 with signature > file "signatures.rules", run the command as: > > /usr/local/bin/suricata -c suricata.yaml -s signatures.rules -i eth0 > > doing _rc_rm_runfile > (failed) > The complaint appears to be that the invocation of suricata in the rc file isn’t proper. If I use the exact command on the command line, it works. This feels like a problem with the package. Am I the only one trying suricata, or the only one triggering the issue? EZ > >> >> >>> >>> I’ve tried finding info in logs. Nothing informative in suricata logs nor >>> /var/log/messages. >>> >>> $ doas /usr/local/bin/suricata -D >>> …succeeds. It runs fine. That is the same command in the >>> /etc/rc.d/suricata. >>> >>> Pointers? Suggestions? Specific details? >>> >>> Thanks, >>> >>> Eric Z >>> >> >> -- >> Antoine
