I migrated my pfsense to a new hardware these days. Now it’s a i5-8365U based mini-computer with 4 Cores (+HT) and 8 RJ-45 Ports in a passively cooled setup. My former hardware had only one RJ-45 Port with a lot with VLANs. And this is where a little problem started – suricata did not start after the migration.
The cause:
The default allocated memory is too low for a machine capable doing 8 threads. So the suricata start fails with:
14/4/2021 -- 20:56:31 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/20219 -- 20:56:31 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
Resolution:
Navigate to “Diagnostics” => “Command prompt” and type in
rm -f /var/run/suricata_*
and click “execute”. This removes potential orphaned PID-files.
Now navigate to “Services” => Suricata => “{the_interface}” => edit => “WAN/Flow Stream” and increase two values:
Section “Flow Manager Settings”
Flow Memory Cap : 335544320
Section “Stream Engine Settings”
Stream Memory Cap: 671088640
I just added a zero at the end of the numbers so the above numbers are already the increased values. Make sure you adjust the above settings for every interface you want suricata to protect.
That’s it – start suricata and you’re all set.
Thanks for watching.