No alerts in the eve.json logfile

Good morning .
I installed RaspbianOS and Suricata 6.1.0 on a Raspberry Pi 400 and had my data traffic analyzed.
To check whether suricatta is running as desired, I ran an ids test (GitHub - 3CORESec/testmynids.org: A website and framework for testing NIDS detection).
No alerts were visible in the log file, which means that Suricata 6.1.0 configured on Raspbianos according to the instructions from Suricata.org did not generate any alerts in the logfile.

So I have another Suricater 6.1.0 installed on another card in the (GitHub - 3CORESec/testmynids.org: A website and framework for testing NIDS detection) test which also shows up with alerts in the log file. as requested.

A diff on the suricata.yaml of the two installations showed no difference in the files of the two installations.
I’m at the end of my latain. With this posting I would like to contribute to the fact that it works with the installation of a Debian Suricata from the repository.

I then installed a RaspianOS version and installed 7.0.7 from the sources according to the instructions on suricata.org, which also didn’t produce any entries/alerts.
The rest of the entries were logged, just no alerts even after 10 days of evaluation. I think there’s something wrong with it
Thanks for the great work @ suricata
Max

Hi,

Thanks for using Suricata – we appreciate it!

Second, Suricata 6.0.x is not supported; we recommend you use the latest stable release (Suricata 7.0.7) as older releases are no longer maintained nor updated with security updates or bug fixes

Third, a bit of investigating is needed.

For the last case using 7.0.7, you said that the rest of the entries were logged – does the “stats” event in eve.json (or stats.log if you’re using it), show the expected values for the byte and packet counters?

Is your Pi receiving both sides of the network communications?

Can you post the output of suricata --build-info?

Hello, Thanks for your answer.
OK now i startet sd-card with the wlan hotspot suricata 7.0.7 , and i noticed that the suricata.service is down.

sudo systemctl status suricata.service
× suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-12-03 14:38:23 CET; 1min 5s ago
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata-ids.org/docs/
Process: 1049 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=127)
CPU: 34ms

Dez 03 14:38:23 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
Dez 03 14:38:23 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Start request repeated too quickly.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Dez 03 14:38:23 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.

sudo tail /var/log/suricata/stats.log #is empty

sudo tail /var/log/suricata/stats.log.1
flow.spare | Total | 10768
flow.mgr.rows_maxlen | Total | 2
flow.mgr.flows_checked | Total | 489588
flow.mgr.flows_notimeout | Total | 236324
flow.mgr.flows_timeout | Total | 253264
flow.mgr.flows_evicted | Total | 253296
flow.mgr.flows_evicted_needs_work | Total | 14728
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 12118208

Is your Pi receiving both sides of the network communications? yes it is, wlan (home_net(adress)) and eth0 for default gateway in some nat net on the way to the internet.
af-packet:
- interface wlan0

sudo suricata --build-info
This is Suricata version 7.0.7 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.49, linked against LibHTP v0.5.42

Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled: yes
Detection enabled: yes

Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
JA3 support: yes
JA4 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: yes

Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.63.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.65.0

Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes

Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no

Plugin support (experimental): yes
DPDK Bond PMD: no

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share

Host: aarch64-unknown-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -std=c11 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS

The question out of the new situation , what can i do against status error code 127?

sudo journalctl -u suricata.service
Nov 15 12:35:54 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 15 12:35:54 sternenband systemd[1]: suricata.service: Consumed 3min 10.864s CPU time.
– Boot 6d4f0f721c8a494582ceb60c47c21ddd –
Nov 15 12:36:11 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 15 12:36:12 sternenband suricata[1006]: 15/11/2024 – 12:36:12 - - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
Nov 15 12:36:12 sternenband systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:00 sternenband systemd[1]: Stopping suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:01 sternenband suricatasc[66268]: Unable to connect to socket /var/run/suricata/suricata-command.socket: L178: [Errno 2] No such file or directory
Nov 26 13:12:01 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=1/FAILURE
Nov 26 13:12:03 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Nov 26 13:12:03 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:03 sternenband systemd[1]: suricata.service: Consumed 4h 39min 48.010s CPU time.
– Boot 5187998102f147fcacc8d5fe2da7a25e –
Nov 26 13:12:21 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:22 sternenband suricata[1019]: i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
Nov 26 13:12:22 sternenband suricata[1019]: /usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_max_tx
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=127/n/a
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Nov 26 13:12:22 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Scheduled restart job, restart counter is at 1.
Nov 26 13:12:22 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:22 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:22 sternenband suricata[1030]: i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
Nov 26 13:12:22 sternenband suricata[1030]: /usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_max_tx
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=127/n/a

How i can i start suricata.service again, and after that i want to test the ids and check the log file for alerts.

jq -c ‘select(.alert)’ eve.json #no alert
jq -c ‘select(.alert)’ eve.json.1 # no alert

After the ids test the must be a few loged alerts if everything is allright.
Sorry for my english,
Thank you for your support.
Max