How to start and stop Suricata-IDS from CLI?

Hello,
I ran Suricata-IDS with the following command:

# suricata -c /etc/suricata/suricata.yaml --af-packet -D

I have two questions:

1- How can I stop it?

2- I used ps -A command and found Suricata-IDS process, then:

# kill -9 ppid

Then, I checked the process list again and no more Suricata-IDS. I wanted to re-run Suricata-IDS, but:

# suricata -c /etc/suricata/suricata.yaml --af-packet -D
i: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode
E: pidfile: pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!

How to solve it?

Thank you.

Why are you using signal 9 (SIGKILL)?

Hello,
Thank you so much for your reply.
I just wanted to terminate it immediately. Is this the problem?
How can I stop it? I installed the Suricata-IDS from source code and no service has been created. So, I can’t use systemctl command to control Sucricata-IDS.

I suggest you read a bit more on signals, because KILL should only be used if other signals do not end the process.

Hello,
Thanks again.
No idea why a service wasn’t created? How can I stop Suricata-IDS?

Creating the service details was usually a distribution packaging job as distributions can differ enough that we couldn’t do it for all. We do provide a sample unit file you can install though:

cp etc/suricata.service /etc/systemd/system

Running from source does often mean dealing with some of the packaging level details yourself.

Hello,
Thank you so much for your reply.
I copied the suricata.service file from the installation directory to /etc/systemd/system directory, then I tried to run Suricata-IDS:

# systemctl status suricata
× suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/etc/systemd/system/suricata.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2023-11-22 02:11:31 EST; 3s ago
   Duration: 4ms
    Process: 1418 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
    Process: 1419 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
   Main PID: 1419 (code=exited, status=1/FAILURE)
        CPU: 5ms

Nov 22 02:11:31 Suricata suricata[1419]:         --group <group>                      : run suricata as this group after init
Nov 22 02:11:31 Suricata suricata[1419]:         --erf-in <path>                      : process an ERF file
Nov 22 02:11:31 Suricata suricata[1419]:         --unix-socket[=<file>]               : use unix socket to control suricata work
Nov 22 02:11:31 Suricata suricata[1419]:         --reject-dev <dev>                   : send reject packets from this interface
Nov 22 02:11:31 Suricata suricata[1419]:         --include <path>                     : additional configuration file
Nov 22 02:11:31 Suricata suricata[1419]:         --set name=value                     : set a configuration value
Nov 22 02:11:31 Suricata suricata[1419]: To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
Nov 22 02:11:31 Suricata suricata[1419]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Nov 22 02:11:31 Suricata systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 02:11:31 Suricata systemd[1]: suricata.service: Failed with result 'exit-code'.

Where is the problem?

I would suggest trying the actual commandline from the service file manually first.

Hello,
Thank you so much for your reply.
If you mean the command /sbin/suricata -c suricata.yaml -s signatures.rules -i NIC then:

# /sbin/suricata -c /etc/suricata/suricata.yaml -s signatures.rules -i Control
i: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode
E: af-packet: Problem with config file
W: detect: No rule files match the pattern signatures.rules
i: threads: Threads created -> W: 8 FM: 1 FR: 1   Engine started.

As you see, it shows me E: af-packet: Problem with config file error. My af-packet section is:

af-packet:
  - interface: Client
    threads: 1
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: Server
    buffer-size: 64535
    use-mmap: yes
  - interface: Server
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: Client
    buffer-size: 64535
    use-mmap: yes

What is wrong?

Interface Control is not in your af-packet config, nor is the default interface, so af-packet doesn’t know which settings to apply to it. The error is not very clear.

Thanks again.
Can you tell me how can I add it? Should I add the parameters like threads, cluster-id and etc. for it?
I added a section like the below at the end of the af-packet section:

- interface: Control
    cluster-id: 96
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

Then:

# /sbin/suricata -c /etc/suricata/suricata.yaml -s signatures.rules -i Control
i: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode
W: detect: No rule files match the pattern signatures.rules
i: threads: Threads created -> W: 8 FM: 1 FR: 1   Engine started.

The first error solved, but how about:

W: detect: No rule files match the pattern signatures.rules

I tried systemctl start suricata, but got the same error!