Suricata.service

Help
1

I have installed Suricata, then I configured suricata.yaml and adjusted the af-packet with my network interface to enp0s3 in the directory /etc/suricata/suricata.yaml. However, when I reset Suricata and check the status of the service, the following command appears:
suricata.service

  • Suricata Intrusion Detection Service
    Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Tue 2023-04-25 13:43:42 EDT; 963ms ago
    Docs: man:suricata(1)
    Process: 2898 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
    Process: 2897 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
    Main PID: 2898 (code=exited, status=1/FAILURE)

Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for ‘eth0’: No such device (19)
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for ‘eth0’: No such device (19)
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface “eth0”: No such device
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - all 1 packet processing threads, 4 management threads initialized, engine started.
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn’t init AF_PACKET socket, fatal error
Apr 25 13:43:42 localhost.localdomain suricata[2898]: 25/4/2023 – 13:43:42 - - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Apr 25 13:43:42 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=1/FAILURE
Apr 25 13:43:42 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
Apr 25 13:43:42 localhost.localdomain systemd[1]: suricata.service failed

The Suricata system keeps detecting that I am using eth0, even though I have changed the configuration in suricata.yaml to enp0s3. What should I do?

2

How did you install Suricata? From the PPA? RPM? Source? If source, what does your /usr/lib/systemd/system/suricata.service file look like?

If you are using the RPM, edit /etc/sysconfig/suricata and update the OPTIONS line change the interface, or replace -i eth0 with --af-packet to pickup the af-packet configuration from the configuration file.

3

Yeah, usr/lib/systemd/system/suricata.service is like the suricata.service on my operating system

4

I installed the Suricata package using the commands ‘yum install epel-release’ and ‘yum install suricata’ on CentOS 7 operating system.

5

After I got in on the directory /etc/sysconfig/suricata/ /etc/sysconfig/suricata I found no file on it

6

On a fresh installf rom EPEL on CentOS 7 you should see a /etc/sysconfig/suricata that looks like:

[root@a95aca8f0cca /]# cat /etc/sysconfig/suricata 
# The following parameters are the most commonly needed to configure
# suricata. A full list can be seen by running /sbin/suricata --help
# -i <network interface device>
# --user <acct name>
# --group <group name>

# Add options to be passed to the daemon
OPTIONS="-i eth0 --user suricata "

If you don’t have it anymore, a yum reinstall suricata should put it back.

This is where you update the interface that Suricata will listen on. You might want something like:

OPTIONS="--af-packet=enp10s0 --user suricata "

or simply

OPTIONS="--af-packet --user suricata "
7

I just noticed that the Suricata provided in EPEL for CentOS 7 is 4.1.10 which has not been supported for 2+ years. The OISF provides RPMs for CentOS 7 of the currently supported releases.

See this forum post for more information: Guide: Suricata RPMs for CentOS and Fedora

6.0 is the current supported release.

1 Like
8

1- # cd /etc/sysconfig/
2- # vi suricata
3- replace -i eth0 with --af-packet

its work for me
thank you jason