Suricata - Multi-Detect Not Detecting Devices

Version: 7.0.3
Operating System: Ubuntu 22.04.3 LTS (Inside Docker)
Installed by the following commands:
add-apt-repository -y ppa:oisf/suricata-stable
apt update && apt install -y suricata

I have added the following to the suricata.yaml file:

multi-detect:
enabled: yes
#selector: direct # direct or vlan
selector: device
loaders: 6

tenants:

  • id: 1
    yaml: /etc/suricata/eth1/eth1.yaml
  • id: 2
    yaml: /etc/suricata/eth2/eth2.yaml

mappings:

  • device: eth1
    tenant-id: 1
  • device: eth2
    tenant-id: 2

Suricata complains that it does not see any devices. This does configuration works if I attempt to use the vlan commands in the documentation (replacing device with vlan and vlan-id).

Is the selector “device” broken?

Is this because I am in a docker container?

Both of these interfaces are visible when I run the command ifconfig.

The devices are taken from the capture config. So can you share your commandline and the part of the yaml for your capture method (e.g. af-packet, pcap, etc)?

if i use af-packet , in the device section I have to enter device: ens224 or device: af-packet::ens224 ?
I am getting the same error that device ens224 not found.

# Linux high speed capture support
af-packet:
- interface: ens224
threads: 2
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
ring-size: 300000
- interface: ens256
threads: 2
cluster-id: 100
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
ring-size: 300000

multi-detect:
  enabled: yes
  selector: device
  loaders: 2


  tenants:
  - id: 1
    yaml: /etc/suricata/encrypted-traffic.yaml
  - id: 2
    yaml: /etc/suricata/decrypted-traffic.yaml

  mappings:
  - device: ens224
    tenant-id: 1
  - device: ens256
    tenant-id: 2