Hello, Thanks for your answer.
OK now i startet sd-card with the wlan hotspot suricata 7.0.7 , and i noticed that the suricata.service is down.
sudo systemctl status suricata.service
× suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-12-03 14:38:23 CET; 1min 5s ago
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata-ids.org/docs/
Process: 1049 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=127)
CPU: 34ms
Dez 03 14:38:23 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
Dez 03 14:38:23 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Start request repeated too quickly.
Dez 03 14:38:23 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Dez 03 14:38:23 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
sudo tail /var/log/suricata/stats.log #is empty
sudo tail /var/log/suricata/stats.log.1
flow.spare | Total | 10768
flow.mgr.rows_maxlen | Total | 2
flow.mgr.flows_checked | Total | 489588
flow.mgr.flows_notimeout | Total | 236324
flow.mgr.flows_timeout | Total | 253264
flow.mgr.flows_evicted | Total | 253296
flow.mgr.flows_evicted_needs_work | Total | 14728
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 12118208
Is your Pi receiving both sides of the network communications? yes it is, wlan (home_net(adress)) and eth0 for default gateway in some nat net on the way to the internet.
af-packet:
- interface wlan0
sudo suricata --build-info
This is Suricata version 7.0.7 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.49, linked against LibHTP v0.5.42
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
JA3 support: yes
JA4 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.63.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.65.0
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: aarch64-unknown-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -std=c11 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
The question out of the new situation , what can i do against status error code 127?
sudo journalctl -u suricata.service
Nov 15 12:35:54 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 15 12:35:54 sternenband systemd[1]: suricata.service: Consumed 3min 10.864s CPU time.
– Boot 6d4f0f721c8a494582ceb60c47c21ddd –
Nov 15 12:36:11 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 15 12:36:12 sternenband suricata[1006]: 15/11/2024 – 12:36:12 - - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
Nov 15 12:36:12 sternenband systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:00 sternenband systemd[1]: Stopping suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:01 sternenband suricatasc[66268]: Unable to connect to socket /var/run/suricata/suricata-command.socket: L178: [Errno 2] No such file or directory
Nov 26 13:12:01 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=1/FAILURE
Nov 26 13:12:03 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Nov 26 13:12:03 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:03 sternenband systemd[1]: suricata.service: Consumed 4h 39min 48.010s CPU time.
– Boot 5187998102f147fcacc8d5fe2da7a25e –
Nov 26 13:12:21 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:22 sternenband suricata[1019]: i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
Nov 26 13:12:22 sternenband suricata[1019]: /usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_max_tx
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=127/n/a
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Failed with result ‘exit-code’.
Nov 26 13:12:22 sternenband systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Scheduled restart job, restart counter is at 1.
Nov 26 13:12:22 sternenband systemd[1]: Stopped suricata.service - Suricata IDS/IDP daemon.
Nov 26 13:12:22 sternenband systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
Nov 26 13:12:22 sternenband suricata[1030]: i: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode
Nov 26 13:12:22 sternenband suricata[1030]: /usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_max_tx
Nov 26 13:12:22 sternenband systemd[1]: suricata.service: Control process exited, code=exited, status=127/n/a
How i can i start suricata.service again, and after that i want to test the ids and check the log file for alerts.
jq -c ‘select(.alert)’ eve.json #no alert
jq -c ‘select(.alert)’ eve.json.1 # no alert
After the ids test the must be a few loged alerts if everything is allright.
Sorry for my english,
Thank you for your support.
Max