I installed Suricata 7.0.3 from source on an Ubuntu 24.04 server VM on proxmox.
I enabled promiscuous mode on my interface and ‘tcpdump -i ens18’ shows all network traffic.
However, when I enable promiscuos mode in the suricata.yaml file and run the test command it shows an error on line 622.
Interface is in promisc mode:
:~$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
ens18 1500 2128 0 658 0 1210 0 0 0 BMRU
lo 65536 92 0 0 0 92 0 0 0 LRU
Parts suricata.yaml file:
af-packet:
- interface: ens18
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
---
# Set to yes to disable promiscuous mode
disable-promisc: no
Suricata service status:
~$ sudo systemctl status suricata
× suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2024-06-28 12:06:12 UTC; 5s ago
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata.io/documentation/
Process: 1730 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=1/FAILURE)
CPU: 8ms
Jun 28 12:06:12 suricata systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
Jun 28 12:06:12 suricata systemd[1]: suricata.service: Start request repeated too quickly.
Jun 28 12:06:12 suricata systemd[1]: suricata.service: Failed with result 'exit-code'.
Jun 28 12:06:12 suricata systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
Running test on config file:
~$ sudo suricata -T -c /etc/suricata/suricata.yaml -v
Error: conf-yaml-loader: Failed to parse configuration file at line 662: did not find expected key
How do I solve this error?