Please include the following information with your help request:

• Suricata version 7.0.9
• Operating system Ubuntu 22.05
  Installation steps on client machine:

Installation

To setup to install the latest stable Suricata, do:
sudo apt-get install software-properties-common sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update
sudo apt-get install suricata

Suricata has been running without issues for 1 year, but the update to version 1:7.0.9-0ubuntu3 has introduced an intermittent service stop issue. Although manual restarts temporarily resolve the issue, the service only runs for approximately 30 seconds before stopping again, indicating a potential problem with the updated package.

suricata.yaml file config

Linux high speed capture support

af-packet:

• interface: eth0

  Number of receive threads. “auto” uses the number of cores

  #threads: auto

  Default clusterid. AF_PACKET will load balance packets based on flow.

  cluster-id: 99

#######################################################
root@idsmac1:~# cat /etc/monitor_interface
eno8403

Our script will take interface automaticallyroot@wbxssnyc0:~# cat /var/scripts/suricata-start
#!/bin/bash

span1=/usr/bin/cat /etc/monitor_interface
span2=/usr/bin/cat /etc/monitor_interface_1 2> /dev/null

#Remove any stale PID files
/usr/bin/rm -f /var/run/suricata.pid 2> /dev/null

/usr/bin/suricata -i $span1 --user suricata --group suricata -F /etc/suricata/BPF.txt -D
####################################################
root@idsmac1:~# ps -ef | grep suri
suricata 744833 1 99 13:54 ? 00:00:03 /usr/bin/suricata -i eno8403 --user suricata --group suricata -F /etc/suricata/BPF.txt -D

After after the suricata version we are getting following error:
[744636 - Suricata-Main] 2025-03-20 13:51:43 Warning: unix-manager: Unable to create unix command socket
[744636 - Suricata-Main] 2025-03-20 13:51:43 Warning: unix-manager: Unix socket: UNIX socket bind(/var/run/suricata/suricata-command.socket) error:
Address already in use
[744636 - Suricata-Main] 2025-03-20 13:51:43 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[744636 - Suricata-Main] 2025-03-20 13:51:43 Info: runmodes: eno8403: creating 8 threads
[744636 - Suricata-Main] 2025-03-20 13:51:43 Warning: af-packet: eno8403: AF_PACKET tpacket-v3 is recommended for non-inline operation
[744636 - Suricata-Main] 2025-03-20 13:51:19 Info: detect: 64509 signatures processed. 1128 are IP-only rules, 9011 are inspecting packet payload, 5
4337 inspect application layer, 0 are decoder event only
[744636 - Suricata-Main] 2025-03-20 13:51:19 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[744636 - Suricata-Main] 2025-03-20 13:51:19 Info: detect: 1 rule files processed. 64509 rules successfully loaded, 0 rules failed, 0
[744636 - Suricata-Main] 2025-03-20 13:51:11 Info: logopenfile: stats output device (regular) initialized: stats.log
[744636 - Suricata-Main] 2025-03-20 13:51:11 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[744636 - Suricata-Main] 2025-03-20 13:51:11 Info: logopenfile: fast output device (regular) initialized: fast.log
[744636 - Suricata-Main] 2025-03-20 13:51:11 Info: conf: Running in live mode, activating unix socket
[744636 - Suricata-Main] 2025-03-20 13:51:11 Info: privs: dropped the caps for main thread
[744635 - Suricata-Main] 2025-03-20 13:51:11 Info: exception-policy: master exception-policy set to: auto
[744635 - Suricata-Main] 2025-03-20 13:51:11 Info: suricata: Setting engine mode to IDS mode by default
[744635 - Suricata-Main] 2025-03-20 13:51:11 Info: cpu: CPUs/cores online: 8
[744635 - Suricata-Main] 2025-03-20 13:51:11 Notice: suricata: This is Suricata version 7.0.9 RELEASE running in SYSTEM mode
[744450 - Suricata-Main] 2025-03-20 13:48:43 Error: threads: thread “W#01-eno8403” failed to start: flags 0423
[744451 - W#01-eno8403] 2025-03-20 13:48:43 Error: af-packet: eno8403: failed to init socket for interface
[744451 - W#01-eno8403] 2025-03-20 13:48:43 Error: af-packet: eno8403: failed to compile BPF "not ( host 10.199.10.37 or 10.192.10.62 or 10.149.38.24
or 10.196.46.15 or 10.177.46.18 )

Sorry, this is an issue that made it into the release. Best work-around for now is to either:

• uncomment the default-packet-size in your suricata.yaml, or…
• specify default-packet-size on the command line with --set default-packet-size=1514

Hi Jason,
Thanks for the quick response. I’ve checked the suricata.yaml file, and the ‘default-packet-size’ line is already commented out.

packet size (MTU + hardware header) on your system.

#default-packet-size: 1514

To troubleshoot the issue, I edited the suricata.yaml configuration file and uncommented the default-packet-size line, setting it to “default-packet-size: 1514”. After making this change, I monitored the system for 15 minutes and confirmed that the issue was resolved, with no further errors or problems encountered. Thanks a lot.
When can I expect a permanent fix?

You should uncomment that line, then restart.