Glen_Elkins
(Glen Elkins)
September 10, 2024, 11:12am
1
I am installing suricata with ansible on ubuntu and alma 8. It all works fine on ubuntu but alma8 it won’t start the service, it says:
unable to find af-packet config for interface “eth0” or “default”, using default values
Yet my config in /etc/suricata/suricata.yaml has this:
af-packet:
- interface: ens18
# Set up other options here as needed
I’m telling it to use ens18, this works fine on ubuntu. It’s like it’s completely ignoring this file on alma8, but the service command tells it to load it:
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Now if i run this command manually:
/sbin/suricata -c /etc/suricata/suricata.yaml -i ens18
This then works fine.
So what is going on here? Why is the service ignoring the config?
Here is the part of my ansible script doing this:
- name: Copy suricata config file
copy:
src: ./../suricata/suricata.yaml
dest: /etc/suricata/suricata.yaml
owner: root
group: root
mode: '0644'
backup: yes
- name: Copy suricata rules file
copy:
src: ./../suricata/custom.rules
dest: /etc/suricata/rules/custom.rules
owner: root
group: root
mode: '0644'
backup: yes
- name: Wait for network interface to be ready for suricata to start
become: yes
wait_for:
timeout: 30
delay: 10
- name: Ensure suricata is enabled and running
service:
name: suricata
state: started
enabled: yes
And here is the full config:
%YAML 1.1
---
# Suricata configuration file
# Define the network interface(s) to monitor
# List the network interfaces to be monitored, separated by commas
# For Docker host network mode, you might use `eth0` or another interface
af-packet:
- interface: ens18
# Set up other options here as needed
default-log-dir: /var/log/suricata/
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
pcap-file: false
community-id: false
community-id-seed: 0
append: yes
rotate-size: 50mb
rotate-time: 1d
types:
- alert
- anomaly
- http
- dns
- tls
- files
- smtp
- dhcp
- ssh
- mqtt
- stats
# Define the paths for Suricata rules
rule-files:
- /etc/suricata/rules/*.rules
# Set up the detection engine
detection:
default-rule-action: drop
# Other detection engine settings
# Set up the HTTP logging
http:
enabled: yes
extended: yes
log-request-body: yes
log-response-body: yes
# Set up the app-layer protocol analysis
app-layer:
protocols:
http:
enabled: yes
dns:
enabled: yes
smtp:
enabled: yes
# Add other protocols as needed
# Performance tuning
stats:
enabled: yes
# Additional statistics settings
# Thresholds
thresholds:
enabled: yes
# Define thresholds as needed
Glen Elkins:
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
What OPTIONS are being specified?
Glen_Elkins
(Glen Elkins)
September 10, 2024, 12:31pm
3
Nothing, it should just be reading the config yaml, it works fine exactly the same on ubuntu, but on alma unless i provide the “-i ens18” it tries to use “eth0”.
So essentially just running: systemctl start suricata
Interesting. Just to verify, there are no EnvironmentFile declarations in the suricata.service file?
Glen_Elkins
(Glen Elkins)
September 10, 2024, 12:40pm
5
it has this: EnvironmentFile=-/etc/sysconfig/suricata
Oh, that might be the issue, that file as options setting eth0 - so why does this not happen on ubuntu? i’ll check the same on there
EDIT
Ok, so this file doesn’t exist on ubuntu, /etc/sysconfig doesn’t either - this is why it’s happening.
So easiest solution then, would be to empty the options
1 Like
Glen_Elkins
(Glen Elkins)
September 10, 2024, 12:46pm
6
Ok so i put
EnvironmentFile=
restarted the daemon and it still fails to start, here is the service now:
# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target systemd-tmpfiles-setup.service
Documentation=man:suricata(1)
[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
EnvironmentFile=
#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
### Security Settings ###
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
[Install]
WantedBy=multi-user.target
From what i can see, it’s still trying to use eth0:
sudo systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2024-09-10 08:44:45 EDT; 5s ago
Docs: man:suricata(1)
Process: 1724 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 1722 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 1724 (code=exited, status=1/FAILURE)
Sep 10 08:44:45 alma1 suricata[1724]: --user <user> : run suricata as this user after init
Sep 10 08:44:45 alma1 suricata[1724]: --group <group> : run suricata as this group after init
Sep 10 08:44:45 alma1 suricata[1724]: --erf-in <path> : process an ERF file
Sep 10 08:44:45 alma1 suricata[1724]: --unix-socket[=<file>] : use unix socket to control suricata work
Sep 10 08:44:45 alma1 suricata[1724]: --reject-dev <dev> : send reject packets from this interface
Sep 10 08:44:45 alma1 suricata[1724]: --set name=value : set a configuration value
Sep 10 08:44:45 alma1 suricata[1724]: To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
Sep 10 08:44:45 alma1 suricata[1724]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 10 08:44:45 alma1 systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 10 08:44:45 alma1 systemd[1]: suricata.service: Failed with result 'exit-code'.
Glen_Elkins
(Glen Elkins)
September 10, 2024, 12:52pm
7
Ok so i solved it by changing the interface in the environment file, the setup is a bit different on alma vs ubuntu, but it now works (thanks):
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2024-09-10 08:51:30 EDT; 2s ago
Docs: man:suricata(1)
Process: 1909 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 1911 (Suricata-Main)
Tasks: 7 (limit: 4677)
Memory: 30.6M
CGroup: /system.slice/suricata.service
└─1911 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens18 --user suricata
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:t>
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected>
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - 21 rule files processed. 345 rules successfully loaded, 14 rules failed
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - Threshold config parsed: 0 rule(s) found
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - 345 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 166 inspect application layer, 108 are decoder event only
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - Going to use 2 thread(s)
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 10 08:51:30 alma1 suricata[1911]: 10/9/2024 -- 08:51:30 - <Info> - All AFP capture threads are running.
From my own experience I think that the interface specification from the yaml does not get parsed into the -i command line so the -i at service start always has to be specified.
1 Like
It does seem to on ubuntu though, i have no options passed on there at all
Which package do you use for the ubuntu install?
Glen_Elkins
(Glen Elkins)
September 10, 2024, 2:14pm
11
I’m just using the apt repo via ansible, which installs the latest, and alma i’m using dnf installing the latest from epel
It looks like the ubuntu PPA uses /etc/init.d/suricata as opposed to a systemd style service unit file. /etc/default/suricata gets sourced for the yaml config and interface options, which is indeed a different method than the systemd style.
Glad you got it working!
JT