How to run suricata with non-root user

Help
1

i setup run suricata user: suricata, group: suricata

suricata.yaml

##############################################################################
##
## Advanced settings below
##
##############################################################################

##
## Run Options
##

# Run Suricata with a specific user-id and group-id:
#run-as:
user: suricata
group: suricata

but run user is root…

스크린샷 2020-10-26 오후 7.22.05
스크린샷 2020-10-26 오후 7.22.051071×87 16.5 KB

I ran it with the --user suricata --group suricata option, but a Permission Denied error occurred.

스크린샷 2020-10-26 오후 7.23.59
스크린샷 2020-10-26 오후 7.23.591145×261 79 KB

Suricata user authority has been granted to the /var/run/suricata directory.

스크린샷 2020-10-26 오후 7.27.04
스크린샷 2020-10-26 오후 7.27.04811×800 112 KB

I need help.

2

You might just need to remove the file /var/run/suricata/suricata-command.socket as it looks like it exists and it is not automatically removed when Suricata exits.

3

i try to remove suricata-command.socket and run suricata with user suricata.
but Still getting permission denied.

4

Are you getting permission denied? Or the address reuse error as in the screenshots above?

First make sure Suricata is not running. Then something like the following should start you off fresh.

rm -rf /var/log/suricata /var/lib/suricata

mkdir /var/log/suricata /var/lib/suricata

chown suricata:suricata /var/log/suricata /var/lib/suricata
chmod 2770 /var/lib/suricata

By the way, I’m not sure how well pfring deals when running non-root, so you might run into other issues, or maybe not.