New user here. Following the Setup Guide. Using Fedora 40.
Suricata says in its logs:
af-packet: eth0: unable to find af-packet config for interface “eth0” or “default”, using default values
[4049 - Suricata-Main] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to find interface type: No such device
[4049 - Suricata-Main] 2024-08-25 05:18:52 Info: runmodes: eth0: creating 12 threads
[4049 - Suricata-Main] 2024-08-25 05:18:52 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[4055 - W#01-eth0] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to find interface: No such device
[4055 - W#01-eth0] 2024-08-25 05:18:52 Error: af-packet: eth0: failed to init socket for interface
[4049 - Suricata-Main] 2024-08-25 05:18:52 Error: threads: thread “W#01-eth0” failed to start: flags 0423
But, I have already specified the interface is enp2s0 in the af-packet section. The service starts, but I don’t get the ‘engine started’ as it says in the Guide. And I am just getting the above. Where is it finding this eth0, somewhere else in the yaml ?
I have also tried changing every mention of eth0 in the entire yaml, but then the service does not start.
There are 2 mentions of ‘interface’ in the af-packet section, a) originally says eth0, so I changed that. And the b) says default. I left it at that and the service starts, but I get the same errors about eth0. So I changed the b) to ‘enp2s0’ also, And the service starts correctly again; but getting the same errors. Where is this ‘default’ defined? It is not in the vars section. Is it hard coded in suricata ?
Or maybe is ‘enp2s0’ not a valid interface in suricata’s books for a ‘valid interface name’ ? I got my interface name from doing ‘ip addr’ as the guide says to do.
I just use ‘systemctl restart suricata.service’ to run suricata.
Here is the af-packet section:
af-packet:
interface: enp2s0
Number of receive threads. “auto” uses the number of cores
#threads: auto
Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
This is only supported for Linux kernel > 3.1
possible value are:
* cluster_flow: all packets of a given flow are sent to the same socket
* cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
* cluster_qm: all packets linked by network card to a RSS queue are sent to the same
socket. Requires at least Linux 3.14.
* cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
more info.
Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
cluster_rollover has been deprecated; if used, it’ll be replaced with cluster_flow.
cluster-type: cluster_flow
In some fragmentation cases, the hash can not be computed. If “defrag” is set
to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
To use the ring feature of AF_PACKET, set ‘use-mmap’ to yes
#use-mmap: yes
Lock memory map to avoid it being swapped. Be careful that over
subscribing could lock your system
#mmap-locked: yes
Use tpacket_v3 capture mode, only active if use-mmap is true
Don’t use it in IPS or TAP mode as it causes severe latency
#tpacket-v3: yes
Ring size will be computed with respect to “max-pending-packets” and number
of threads. You can set manually the ring size in number of packets by setting
the following value. If you are using flow “cluster-type” and have really network
intensive single-flow you may want to set the “ring-size” independently of the number
of threads:
#ring-size: 2048
Block size is used by tpacket_v3 only. It should set to a value high enough to contain
a decent number of packets. Size is in bytes so please consider your MTU. It should be
a power of 2 and it must be multiple of page size (usually 4096).
#block-size: 32768
tpacket_v3 block timeout: an open block is passed to userspace if it is not
filled after block-timeout milliseconds.
#block-timeout: 10
On busy systems, set it to yes to help recover from a packet drop
phase. This will result in some packets (at max a ring flush) not being inspected.
#use-emergency-flush: yes
recv buffer size, increased value could improve performance
buffer-size: 32768
Set to yes to disable promiscuous mode
disable-promisc: no
Choose checksum verification mode for the interface. At the moment
of the capture, some packets may have an invalid checksum due to
the checksum computation being offloaded to the network card.
Possible values are:
- kernel: use indication sent by kernel for each packet (default)
- yes: checksum validation is forced
- no: checksum validation is disabled
- auto: Suricata uses a statistical approach to detect when
checksum off-loading is used.
Warning: ‘capture.checksum-validation’ must be set to yes to have any validation
#checksum-checks: kernel
BPF filter to apply to this interface. The pcap filter syntax applies here.
#bpf-filter: port 80 or udp
You can use the following variables to activate AF_PACKET tap or IPS mode.
If copy-mode is set to ips or tap, the traffic coming to the current
interface will be copied to the copy-iface interface. If ‘tap’ is set, the
copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action
will not be copied.
###!
copy-mode: ips #copy-iface: eth1
# For eBPF and XDP setup including bypass, filter and load balancing, please
# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.
Put default values here. These will be used for an interface that is not
in the list above.
###! - interface: default
interface: enp2s0 #threads: auto #use-mmap: no #tpacket-v3: yes
Are you using the RPM? If so, you should edit /etc/sysconfig/suricata, by default -i eth0 is in there and that will override the configuration file. You could change that to your interface or simply change it to --af-packet, then the af-packet section of the configuration will be used.