Suricata - Multi-Detect Not Detecting Devices

Help
1

Version: 7.0.3
Operating System: Ubuntu 22.04.3 LTS (Inside Docker)
Installed by the following commands:
add-apt-repository -y ppa:oisf/suricata-stable
apt update && apt install -y suricata

I have added the following to the suricata.yaml file:

multi-detect:
enabled: yes
#selector: direct # direct or vlan
selector: device
loaders: 6

tenants:

  • id: 1
    yaml: /etc/suricata/eth1/eth1.yaml
  • id: 2
    yaml: /etc/suricata/eth2/eth2.yaml

mappings:

  • device: eth1
    tenant-id: 1
  • device: eth2
    tenant-id: 2

Suricata complains that it does not see any devices. This does configuration works if I attempt to use the vlan commands in the documentation (replacing device with vlan and vlan-id).

Is the selector β€œdevice” broken?

Is this because I am in a docker container?

Both of these interfaces are visible when I run the command ifconfig.

2

The devices are taken from the capture config. So can you share your commandline and the part of the yaml for your capture method (e.g. af-packet, pcap, etc)?

3

if i use af-packet , in the device section I have to enter device: ens224 or device: af-packet::ens224 ?
I am getting the same error that device ens224 not found.

# Linux high speed capture support
af-packet:
- interface: ens224
threads: 2
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
ring-size: 300000
- interface: ens256
threads: 2
cluster-id: 100
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
ring-size: 300000

multi-detect:
  enabled: yes
  selector: device
  loaders: 2


  tenants:
  - id: 1
    yaml: /etc/suricata/encrypted-traffic.yaml
  - id: 2
    yaml: /etc/suricata/decrypted-traffic.yaml

  mappings:
  - device: ens224
    tenant-id: 1
  - device: ens256
    tenant-id: 2
4

Can you post the output of ip a to see the actual interface names?

5

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29πŸ‡§πŸ‡§0a:e3 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.212.21/24 brd 192.168.212.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29πŸ‡§πŸ‡§0a:ed brd ff:ff:ff:ff:ff:ff
altname enp19s0
4: ens256: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29πŸ‡§πŸ‡§0a:f7 brd ff:ff:ff:ff:ff:ff
altname enp27s0

6

I updated Suricata to v7.0.5 from v6.0 and the same configuration worked like a charm!!!