Running Suricata with interface instead of IP address

ginoliuz · January 25, 2023, 3:04pm

Hi.

I’m testing Suricata on my laptop running Windows 10 22H2.
When I run the command by using the IP address, it executes with no problem (just few warning messages about some files missing.
The command would be something similar to the following:

suricata.exe -c suricata.yaml -i <ip_address>

Since the IP might often change over time, I find it more useful to run it on the network device.
By following the “how to” guide that comes with Suricata, I found that the correct syntax is the following:

C:\Program Files\Suricata>suricata.exe -i \\DEVICE\\NPF_\{network_setting_id\}

So I built the following command:

suricata.exe -c suricata.yaml -i \\DEVICE\\NPF_\{618FE502-F7B1-41C2-B31C-2A36FD3EC46B\}

which is the device associated with my network card I’m using.

However, somehow it cannot execute the command. The output is the following:

C:\Program Files\Suricata>suricata.exe -c suricata.yaml -i \\DEVICE\\NPF_\{618FE502-F7B1-41C2-B31C-2A36FD3EC46B\}

25/1/2023 -- 16:00:22 - <Info> - Running as service: no
25/1/2023 -- 16:00:22 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ikev2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via syscall for '\\DEVICE\\NPF_\{618FE502-F7B1-41C2-B31C-2A36FD3EC46B\}':  (0x00000490)
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via syscall for '\\DEVICE\\NPF_\{618FE502-F7B1-41C2-B31C-2A36FD3EC46B\}':  (0x00000490)
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named eve-log.ike
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named eve-log.quic
25/1/2023 -- 16:00:22 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-icmp_info.rules: No such file or directory.
25/1/2023 -- 16:00:22 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file C:\\Program Files\\Suricata\\rules\\emerging-icmp.rules: No such file or directory.
25/1/2023 -- 16:00:22 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\Program Files\Suricata\\\threshold.config": No such file or directory
25/1/2023 -- 16:00:22 - <Error> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - could not create a new pcap handler for \\DEVICE\\NPF_\{618FE502-F7B1-41C2-B31C-2A36FD3EC46B\}, error Error opening adapter: La sintassi del nome del file, della directory o del volume non Þ corretta.  (123)
25/1/2023 -- 16:00:23 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-\\DE..6B\" failed to initialize: flags 0145
25/1/2023 -- 16:00:23 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...

C:\Program Files\Suricata>

I checked the device name by running the following command:

wmic nicconfig get ipaddress,SettingID

which outputs the following:

IPAddress                                      SettingID
                                               {154B4599-3DE7-414D-9C68-4438354CECC5}
                                               {61E3B87F-E9C0-4DCA-8DFA-E9F9FFB543CC}
{"192.168.50.45", "fe80::8fe8:fee9:7821:a07"}  {618FE502-F7B1-41C2-B31C-2A36FD3EC46B}
                                               {784855DA-AC00-476B-A56E-41AC3023C9A7}
                                               {24883751-FBCC-499D-9E97-A7CFD64FDC97}
                                               {B5E5F883-5CD3-4D8E-B656-4C1DC415E299}
                                               {E545181B-05BC-47B1-B9C7-4256B3590052}
                                               {47B6FA53-CBDB-47A3-97E0-7C09D704938D}
                                               {26B5592D-BEF9-4380-9F2A-050E795665F7}
                                               {4681CBB3-4309-4F56-B3A1-A4F913119745}
                                               {41D8E655-CB86-49DC-8BAB-F0C7B2371206}
                                               {9EA66B9B-51CD-48BC-92A9-3ACC32C22AFC}
                                               {7E7BC473-BFFF-4265-9A3B-0C6EE8B06E44}
                                               {0E87A01B-23F2-4924-9F92-78AACE42F4DD}
{"192.168.56.1", "fe80::71bc:f441:53e0:cc03"}  {236CD3AF-712E-49F4-B05A-3936C90780ED}

So the command for running Suricata should be correct.

How do I solve this?

Any suggestion is appreciated.

Topic		Replies	Views
Suricata IDS scan all interfaces Help ips , suricata	1	573	August 28, 2022
Start suricate with multiple (not running) interfaces	1	464	January 17, 2023
Suricata on pfSense blocking IPs on Pass List Help pfsense	16	6760	January 14, 2022
Monitor more than one interface in Windows? Help	0	301	January 25, 2023
How to configure Suricata-IDS in IPS mode in Windows Server 2019? Help ips , windows	23	6064	October 27, 2022

Running Suricata with interface instead of IP address

Related Topics