I have tried 2 versions of Suricata: 7.0.0 and 7.0.6
Operating system: almalinux 9.4
I have installed Suricata from source.
Whenever I start/restart Suricata service, it is restarting sshd service too. And I am loosing all the active SSH connections.
Is this expected? Please assist me in fixing this problem.
Thanks,
Mahesh
Please provide more details, like the logs and also how you run Suricata (in which mode and run command), add suricata.yaml and check the systemctl state.
How do you actually restart the Suricata service and how did you setup the sytemd file?
Hi @Andreas_Herz,
Please find the attached yaml and service files.
suricata.yaml (7.5 KB)
suricata.service.yaml (818 Bytes)
Note: Added yaml extension for service file too as I was unable to upload the service file here.
sshd is restarting on executing any of the below commands:
systemctl start suricata
systemctl restart suricata
systemctl stop suricata
What is set for $OPTIONS, it looks like you run IPS mode, did you follow the guide at 15. Setting up IPS/inline for Linux — Suricata 8.0.0-dev documentation since I would guess it’s not an actual restart of the sshd but rather the iptables settings that “break” your connection.
Also post the suricata.log and the logs from the services so we can see the actual messages.
Thanks for checking the files @Andreas_Herz. I am attaching the suricata.log and system log files. The file has logs from the time for start and restart suricata operations.Please check. Thanks.
suricata.log (6.0 KB)
system.log (6.7 KB)
same, I also can’t ssh after adding the service file and restarting it
Having a similar issue: Suricata 7 dropping ssh sessions
Please also answer what are the values for $OPTIONS in your service file.
Also 7.0.0 is a bit old, try to update to the most recent one.
Keep in mind for IPS there are some changes from 6 to 7, see 4. Upgrading — Suricata 8.0.0-dev documentation
If you run IPS you need to make sure that you properly set the netfilter config, so that if Suricata stops for some reason packets are still processed (if that’s what you want)