Hi I was trouble shooting suricata, I’d set it up for IDS in conjunction with Wazuh. On reviewing suricata.logs, I got this message:
2650 - Suricata-Main] 2024-07-04 17:39:29 Warning: ioctl: eth0: failed to set SIOCETHTOOL ioctl: Invalid argumentHion
Has anyone seen this and can you help fix/remove?
What version do you run?
What OS do you use? Ideally provide suricata --build-info and more stats from the system.
Also add the suricata.yaml and suricata.log.
Suricata 7.0.6
Ubuntu 22.04.4
This is Suricata version 7.0.6 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 11.4.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
JA3 support: yes
JA4 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.75.0 (82e1608df 2023-12-21) (built from a source tarball)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.75.0
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -ffile-prefix-map=/build/suricata-UIr2Ji/suricata-7.0.6=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -std=c11 -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Is there a specific part of build info, yaml & logs you need as I’m restricted in characters
many thanks
This looks like a device that doesn’t support this operation. Does Suricata continue to run? If so, you should be OK. If Suricata exits, try forcing pcap mode with a command line like:
suricata --pcap=eth0 ...
Hi yes Suricata does continue to run, I will try your suggested command