Ignoring my config file and using incorrect interface

I am installing suricata with ansible on ubuntu and alma 8. It all works fine on ubuntu but alma8 it won’t start the service, it says:

unable to find af-packet config for interface “eth0” or “default”, using default values

Yet my config in /etc/suricata/suricata.yaml has this:

af-packet:
  - interface: ens18
    # Set up other options here as needed

I’m telling it to use ens18, this works fine on ubuntu. It’s like it’s completely ignoring this file on alma8, but the service command tells it to load it:

ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)

Now if i run this command manually:

/sbin/suricata -c /etc/suricata/suricata.yaml -i ens18

This then works fine.

So what is going on here? Why is the service ignoring the config?

Here is the part of my ansible script doing this:

    - name: Copy suricata config file
      copy:
        src: ./../suricata/suricata.yaml
        dest: /etc/suricata/suricata.yaml
        owner: root
        group: root
        mode: '0644'
        backup: yes

    - name: Copy suricata rules file
      copy:
        src: ./../suricata/custom.rules
        dest: /etc/suricata/rules/custom.rules
        owner: root
        group: root
        mode: '0644'
        backup: yes

    - name: Wait for network interface to be ready for suricata to start
      become: yes
      wait_for:
        timeout: 30
        delay: 10

    - name: Ensure suricata is enabled and running
      service:
        name: suricata
        state: started
        enabled: yes

And here is the full config:

%YAML 1.1
---

# Suricata configuration file

# Define the network interface(s) to monitor
# List the network interfaces to be monitored, separated by commas
# For Docker host network mode, you might use `eth0` or another interface
af-packet:
  - interface: ens18
    # Set up other options here as needed

default-log-dir: /var/log/suricata/

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      pcap-file: false
      community-id: false
      community-id-seed: 0
      append: yes
      rotate-size: 50mb
      rotate-time: 1d
      types:
        - alert
        - anomaly
        - http
        - dns
        - tls
        - files
        - smtp
        - dhcp
        - ssh
        - mqtt
        - stats

# Define the paths for Suricata rules
rule-files:
  - /etc/suricata/rules/*.rules

# Set up the detection engine
detection:
  default-rule-action: drop
  # Other detection engine settings

# Set up the HTTP logging
http:
  enabled: yes
  extended: yes
  log-request-body: yes
  log-response-body: yes

# Set up the app-layer protocol analysis
app-layer:
  protocols:
    http:
      enabled: yes
    dns:
      enabled: yes
    smtp:
      enabled: yes
    # Add other protocols as needed

# Performance tuning
stats:
  enabled: yes
  # Additional statistics settings

# Thresholds
thresholds:
  enabled: yes
  # Define thresholds as needed

What OPTIONS are being specified?

Nothing, it should just be reading the config yaml, it works fine exactly the same on ubuntu, but on alma unless i provide the “-i ens18” it tries to use “eth0”.

So essentially just running: systemctl start suricata

Interesting. Just to verify, there are no EnvironmentFile declarations in the suricata.service file?

it has this: EnvironmentFile=-/etc/sysconfig/suricata

Oh, that might be the issue, that file as options setting eth0 - so why does this not happen on ubuntu? i’ll check the same on there

EDIT

Ok, so this file doesn’t exist on ubuntu, /etc/sysconfig doesn’t either - this is why it’s happening.

So easiest solution then, would be to empty the options

1 Like

Ok so i put

EnvironmentFile=

restarted the daemon and it still fails to start, here is the service now:

# Sample Suricata systemd unit file.

[Unit]

Description=Suricata Intrusion Detection Service

After=syslog.target network-online.target systemd-tmpfiles-setup.service

Documentation=man:suricata(1)

[Service]

# Environment file to pick up $OPTIONS. On Fedora/EL this would be

# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.

EnvironmentFile=

#EnvironmentFile=-/etc/sysconfig/suricata

#EnvironmentFile=-/etc/default/suricata

ExecStartPre=/bin/rm -f /var/run/suricata.pid

ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS

ExecReload=/bin/kill -USR2 $MAINPID

### Security Settings ###

MemoryDenyWriteExecute=true

LockPersonality=true

ProtectControlGroups=true

ProtectKernelModules=true

[Install]

WantedBy=multi-user.target

From what i can see, it’s still trying to use eth0:

sudo systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2024-09-10 08:44:45 EDT; 5s ago
     Docs: man:suricata(1)
  Process: 1724 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
  Process: 1722 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 1724 (code=exited, status=1/FAILURE)

Sep 10 08:44:45 alma1 suricata[1724]:         --user <user>                        : run suricata as this user after init
Sep 10 08:44:45 alma1 suricata[1724]:         --group <group>                      : run suricata as this group after init
Sep 10 08:44:45 alma1 suricata[1724]:         --erf-in <path>                      : process an ERF file
Sep 10 08:44:45 alma1 suricata[1724]:         --unix-socket[=<file>]               : use unix socket to control suricata work
Sep 10 08:44:45 alma1 suricata[1724]:         --reject-dev <dev>                   : send reject packets from this interface
Sep 10 08:44:45 alma1 suricata[1724]:         --set name=value                     : set a configuration value
Sep 10 08:44:45 alma1 suricata[1724]: To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
Sep 10 08:44:45 alma1 suricata[1724]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 10 08:44:45 alma1 systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 10 08:44:45 alma1 systemd[1]: suricata.service: Failed with result 'exit-code'.

Ok so i solved it by changing the interface in the environment file, the setup is a bit different on alma vs ubuntu, but it now works (thanks):

● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2024-09-10 08:51:30 EDT; 2s ago
     Docs: man:suricata(1)
  Process: 1909 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 1911 (Suricata-Main)
    Tasks: 7 (limit: 4677)
   Memory: 30.6M
   CGroup: /system.slice/suricata.service
           └─1911 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens18 --user suricata

Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:t>
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected>
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - 21 rule files processed. 345 rules successfully loaded, 14 rules failed
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - Threshold config parsed: 0 rule(s) found
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - 345 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 166 inspect application layer, 108 are decoder event only
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - Going to use 2 thread(s)
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - All AFP capture threads are running.

From my own experience I think that the interface specification from the yaml does not get parsed into the -i command line so the -i at service start always has to be specified.

1 Like

It does seem to on ubuntu though, i have no options passed on there at all

Which package do you use for the ubuntu install?

I’m just using the apt repo via ansible, which installs the latest, and alma i’m using dnf installing the latest from epel

It looks like the ubuntu PPA uses /etc/init.d/suricata as opposed to a systemd style service unit file. /etc/default/suricata gets sourced for the yaml config and interface options, which is indeed a different method than the systemd style.

Glad you got it working!

JT