Hi all. While integrating Suricata with Wazuh, we built a custom image and use the following startup script:
#!/bin/bash
set -eu
IFACES=($(ls /sys/class/net | grep -v lo))
args=()
for i in "${IFACES[@]}"; do
args+=( -i "$i" )
done
echo /opt/wazuh/suricata/bin/suricata "${args[@]}" "$@"
exec /opt/wazuh/suricata/bin/suricata "${args[@]}" "$@"
We have a similar approach for macOS.
The issue is that this picks up all interfaces, including transient/virtual ones created by tools like Docker, VMware, Tailscale, etc. At startup, Suricata attaches to many of these, but some disappear later, leading to warnings like:
W: af-packet: <iface>: can't reopen interface
Example (trimmed):
-i br-xxx -i docker0 -i enp0s31f6 -i tailscale0 -i vethXXX -i vmnet1 ...
My question:
Does Suricata provide a native way to:
- Monitor only active interfaces at runtime, or
- Automatically drop interfaces that go down after startup?
Or is the recommended approach to handle interface filtering externally.
Would appreciate any best practices or patterns others are using in similar setups.