Multiple interfaces setup for Suricata

RandomCatPaw · September 29, 2025, 11:28am

Please include the following information with your help request:

Suricata version

Operating system and/or Linux distribution

How you installed Suricata (from source, packages, something else)

Suricata version: 7.0.11 RELEASE

Operating system and/or Linux distribution: RHEL 9

How you installed Suricata: package (suricata.x86_64 —– 7.0.11-1.el9 —– @epel)

__________________________________________________________________________________

I have 2 interfaces on my VM (RHEL 9) and at any given time only one interface will have traffic. We have implemented 2 interfaces for HA. But I need to configure both ports in Suricata configurations. Whatever comes default after I install suricata.x86_64 is kept as it is and I make only required changes.

As per my understanding I have to edit two files

suricata.yaml (/etc/suricata/suricata.yaml)
/etc/sysconfig/suricata (env file for passing $OPTION arg while running service file at /usr/lib/systemd/system/suricata.service)

I am putting below configurations from each file

suricata.yaml ( I have removed comments and kept only options we are using)

af-packet:
  - interface: ens224
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
  - interface: ens256
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

Environment file- /etc/sysconfig/suricata

# The following parameters are the most commonly needed to configure
# suricata. A full list can be seen by running /sbin/suricata --help
# -i <network interface device>
# --user <acct name>
# --group <group name>

# Add options to be passed to the daemon
OPTIONS="-i ens224 -i ens256 -D "

Service file- /usr/lib/systemd/system/suricata.service

# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target systemd-tmpfiles-setup.service
Documentation=man:suricata(1)

[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

### Security Settings ###
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target

Now after these configurations, I do

systemctl daemon-reload

systemctl restart suricata

systemctl status suricata

I get below status

● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: deactivating (stop-sigterm) since Mon 2025-09-29 19:25:55 HKT; 3s ago
       Docs: man:suricata(1)
    Process: 2357378 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
    Process: 2357380 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=>
   Main PID: 2357380 (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 100416)
     Memory: 175.2M
        CPU: 3.771s
     CGroup: /system.slice/suricata.service
             └─2357381 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens224 -i ens256 -D

Sep 29 19:25:55 <VM_NAME> systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 29 19:25:55 <VM_NAME> systemd[1]: Started Suricata Intrusion Detection Service.
Sep 29 19:25:55 <VM_NAME> suricata[2357380]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode
Sep 29 19:25:55 <VM_NAME> suricata[2357380]: E: af-packet: Problem with config file

See last line- suricata[2357380]: E: af-packet: Problem with config file

Can you please look into the configurations and let me know what I am missing here?

ish · September 29, 2025, 2:29pm

Please try –af-packet here instead of multiple -i. It should then pick-up both interfaces from your af-packet section. I believe they will need unique cluster-id values as well.

RandomCatPaw · September 30, 2025, 4:31am

Thanks Jason for replying.

I made below changes in suricata.service file

added –af-packet

(For now I have commented out use of environment file and passing $OPTIONS directly)

# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target systemd-tmpfiles-setup.service
Documentation=man:suricata(1)

[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet
ExecReload=/bin/kill -USR2 $MAINPID

### Security Settings ###
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target

Note- I am not passing -D in option in ExecStart

When I pass -D in option in ExecStart (with –af-packet), my service fails to start with below error

systemctl status suricata

● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: deactivating (stop-sigterm) since Tue 2025-09-30 12:14:07 HKT; 3s ago
       Docs: man:suricata(1)
    Process: 2417377 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
    Process: 2417378 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D >
   Main PID: 2417378 (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 100416)
     Memory: 154.1M
        CPU: 3.233s
     CGroup: /system.slice/suricata.service
             └─2417379 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D

Sep 30 12:14:07 vklnlp2752 systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 30 12:14:07 vklnlp2752 systemd[1]: Started Suricata Intrusion Detection Service.
Sep 30 12:14:07 vklnlp2752 suricata[2417378]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode

If I run without -D in option in ExecStart (with only –af-packet), I see my service running successfully.

I want to understand the implications of using (and not suing) -D option ExecStart

RandomCatPaw · October 3, 2025, 6:18am

Hello there!

Anything on above request?

Andreas_Herz · January 29, 2026, 9:01pm

Did you change the cluster-id to not overlap?

RandomCatPaw · January 30, 2026, 10:12am

Yes I did.

As mentioned I have 2 interfaces ens224 & ens256 and cluster-id for them is set to 99 & 98 respectively.

Below is my current setup

suricata.service file ( I commented out reference to EnvironmentFile=-/etc/default/suricata and passing –af-packet… options directly in start command)

Sample Suricata systemd unit file.

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target systemd-tmpfiles-setup.service
Documentation=man:suricata(1)

[Service]

Environment file to pick up $OPTIONS. On Fedora/EL this would be

/etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.

#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet --pidfile /var/run/suricata.pid
ExecReload=/bin/kill -USR2 $MAINPID

Security Settings

MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target

suricata service does start successfully. After few hours service gets terminated automatically. See below o/p of systemctl status suricata

[root@<VM_NAME> ~]#systemctl status suricata
× suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: failed (Result: core-dump) since Wed 2026-01-21 10:40:19 HKT; 1 week 2 days ago
   Duration: 23h 12min 4.217s
       Docs: man:suricata(1)
   Main PID: 1580465 (code=dumped, signal=ABRT)
        CPU: 4h 8min 9.840s

Jan 20 11:28:15 <VM_NAME> systemd[1]: Starting Suricata Intrusion Detection Service...
Jan 20 11:28:15 <VM_NAME> systemd[1]: Started Suricata Intrusion Detection Service.
Jan 20 11:28:15 <VM_NAME> suricata[1580465]: Info: conf-yaml-loader: Configuration node 'stream' redefined.
Jan 20 11:28:15 <VM_NAME> suricata[1580465]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode
Jan 20 11:29:12 <VM_NAME> suricata[1580465]: i: threads: Threads created -> W: 16 FM: 1 FR: 1   Engine started.
Jan 21 10:40:16 <VM_NAME> suricata[1580465]: malloc(): invalid next size (unsorted)
Jan 21 10:40:18 <VM_NAME> systemd-coredump[1704976]: [🡕] Process 1580465 (Suricata-Main) of user 0 dumped core.

                                                      Stack trace of thread 1580604:
                                                      #0  0x00007fa3fe68bedc n/a (n/a + 0x0)
                                                      ELF object binary architecture: AMD x86-64
Jan 21 10:40:19 <VM_NAME> systemd[1]: suricata.service: Main process exited, code=dumped, status=6/ABRT
Jan 21 10:40:19 <VM_NAME> systemd[1]: suricata.service: Failed with result 'core-dump'.
Jan 21 10:40:19 <VM_NAME> systemd[1]: suricata.service: Consumed 4h 8min 9.840s CPU time.

I am unable to find root cause for this.

I have exactly same setup on other hosts as well and did not observe this issue on those hosts.

Only difference is those hosts (where suricata does not fails) have only one interface instead of two as in this case. And traffic volume is much less on those other hosts (few MBs). Here we have traffic volume in TB (>20 TiB)

Carl_MaGill · February 9, 2026, 4:42pm

You mentioned RHEL 9, is fapolicyd running? I have had issues when it is running, and disabling it resolved the issue.

RandomCatPaw · February 10, 2026, 4:21am

No. I don’t have fapolicyd.

@Andreas_Herz / @ish folks can you help to check?

lukashino · February 10, 2026, 11:18am

Can you summarize/reattach the current state of your setup?

Also, can you comment out the ### Security Settings ### . I assume that might be a difference between your non-deamon (without -D) run from the command-line and your systemd service.

Thanks.

Also, potentially a nit but you have 2 --pidfile arguments specified in your service file.

I would start by getting to work a minimal setup Suricata in the service (e.g. with one interface only), no landlock, root access and then add more complexity to it (2nd interface, security settings etc.)

Adding a second interface can’t be the problem.

RandomCatPaw · February 18, 2026, 3:16am

We rebuilt our host server. Now it works fine. No issue is observed from at least last 7 days.

Thanks.