Hello,

I receive the following error message:
/usr/bin/suricata -q 0 -c /etc/suricata/suricata.yaml -i ens1f0 -vvv (code=exited, status=1)

Failed to start Suricata IDS/IDP daemon

journalctl -u suricata
Jun 08 11:54:49 cloud systemd[1]: Stopped Suricata IDS/IDP daemon.

Jun 08 11:54:49 cloud systemd[1]: Started Suricata IDS/IDP daemon.

Jun 08 11:54:49 cloud suricata[292253]: 8/6/2023 – 11:54:49 - - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more than one run mode has been specified

Jun 08 11:54:49 cloud suricata[292253]: Suricata 6.0.10
Debian 11 Linux PVE 5.15.107-2 (2023-05-10T09:10Z) x86_64 GNU/Linux

iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N CHECK_IPS

-A FORWARD -j CHECK_IPS

-A CHECK_IPS -j NFQUEUE --queue-num 0

It seems to be an issue with multiple runmodes specified, but I don’t know howto check it or to solve it. Any help is appreatiated.

best regards - Lupus

The command line you’re using specifies 2 ways to receive packets

• -q 0 instructs Suricata to receive packets from nfqueue (queue #0)
• -i ens1f0 instructs Suricata to receive packets in pcap “live mode”.

Use a single runmode with Suricata – so choose either nfqueue or pcap live mode.

Thank you Jeff, it works fine now.

● suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/suricata.service.d
└─override.conf
Active: active (running) since Thu 2023-06-08 14:54:44 CEST; 7s ago