Suricata fail to start when the monitored interface is down

wayne · August 21, 2023, 8:53am

We integrated Suricata 6.0.9 into the docker, here is the issue we met.

We are using Suricata (pfring mode) to monitor NIC interface, when the the monitored interface is down (remove the network cable or CLI ‘ip link set dev eth0 down’), Suricata container fail to startup, so the container is inoperatable.

My questions are:

For single monitored interface, can Suricata start successfully even if the interface is down?
For multiple monitored interfaces, can Suricata start successfully when some of the interfaces are down (at least one interface is alive)

Thanks a lot!

ish · August 24, 2023, 2:57pm

For AF_PACKET this seems to be case. The device has to exist, but can be down and it will retry later. It doesn’t look like PF_RING has this same logic. It might be worth a feature request (Issues - Suricata - Open Information Security Foundation).

Topic		Replies	Views
Running Suricata 6.0.0 inside a docker container with docker interface. The tool doesn't seem to Sniff traffic Help docker	2	1179	May 24, 2023
Start suricate with multiple (not running) interfaces	1	569	January 17, 2023
Suricata breaks after a little time running fine Help	16	1446	April 25, 2021
Suricata ips mode service type=notify fail to start Help	16	36	August 25, 2024
Suricata and DPDK: interface(s) shut down after suricata restart Help suricata , dpdk	15	61	December 10, 2024

Suricata fail to start when the monitored interface is down

Related topics