Please include the following information with your help request:
- Suricata version - 7.0.6
- Operating system and/or Linux distribution - Ubuntu 24.04.1 LTS
- How you installed Suricata (from source, packages, something else) From source
Issue: I updated to the latest version and during the update it got interrupted. Everything seem to be fine but after a couple hours Suricata stops collecting flow from the network interface and when i bounce the interface Suricata starts collecting data again.
any help would be greatly appreciated.
Without knowing what may have happened during the interrupted update, I’d start the process again and ensure it is completed w/out interruption.
Then, see if the problem persists.
If it does, it’s helpful to be more descriptive about what actually happened and supply relevant logs, what was expected vs what happened, the command line used to invoke Suricata, deployment mode (inline or ids), etc.
suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Tue 2024-09-17 16:56:52 EDT; 5 days ago
Docs: man:systemd-sysv-generator(8)
Process: 68531 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
Tasks: 26 (limit: 308446)
Memory: 1.4G (peak: 40.3G)
CPU: 2d 14h 3min 5.225s
CGroup: /system.slice/suricata.service
└─68539 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
Sep 17 16:56:52 ubun-wazuh systemd[1]: Starting suricata.service - LSB: Next Generation IDS/IPS…
Sep 17 16:56:52 ubun-wazuh suricata[68531]: Starting suricata in IDS (af-packet) mode… done.
Sep 17 16:56:52 ubun-wazuh systemd[1]: Started suricata.service - LSB: Next Generation IDS/IPS.
I am not well versed in linux or suricata so what would you need for logs? I am aware of is using journalctl and /var/logs/suricata/suricata.stats.
when i invoked the update i used sudo apt upgrade suricata
The service appears to be running as you see from my previous reply using the systemctl status suricata
when i run ip dev eno1 down then ip dev eno1 up it starts collecting and the mode is IDS
i may have found some interesting info… last log collection was at 09/25/2024-16:47:36.602320
Sep 25 14:03:21 ubun-wazuh kernel: ixgbe 0000:18:00.0: removed PHC on eno1
Sep 25 14:03:21 ubun-wazuh systemd-networkd[660]: eno1: Link DOWN
Sep 25 14:03:21 ubun-wazuh systemd-networkd[660]: eno1: Lost carrier
Sep 25 14:03:21 ubun-wazuh systemd-networkd[660]: eno1: DHCPv6 lease lost
Sep 25 14:03:22 ubun-wazuh kernel: ixgbe 0000:18:00.0 eno1: left promiscuous mode
Sep 25 14:03:23 ubun-wazuh kernel: ixgbe 0000:18:00.0: registered PHC device on eno1
Sep 25 14:03:23 ubun-wazuh systemd-networkd[660]: eno1: Link UP
Sep 25 14:03:23 ubun-wazuh kernel: ixgbe 0000:18:00.0 eno1: entered promiscuous mode
Sep 25 14:03:27 ubun-wazuh kernel: ixgbe 0000:18:00.0 eno1: NIC Link is Up 1 Gbps, Flow Control: RX
Sep 25 14:03:27 ubun-wazuh systemd-networkd[660]: eno1: Gained carrier
Sep 25 14:03:27 ubun-wazuh NetworkManager[1091]: [1727287407.3578] device (eno1): carrier: link connected
Sep 25 14:03:28 ubun-wazuh systemd-networkd[660]: eno1: Gained IPv6LL
Hi Jeff were you able to see my other posts? Any help would be greatly appreciated.
Can you locatel suricata.log
on your system and post a snippet here (or DM the file to me)?
suricata.log (44.3 KB)
attached.
I’m not able to reproduce the issue using Suricata 7.0.7 on an ubuntu 24.04 system and AF_PACKET.
Your logs show that Suricata is receiving traffic when the interface is up and correctly detects and reacts to the interface goes offline and recovers.
In your logs, the interface goes offline:
[68628 - W#17-eno1] 2024-10-02 08:03:45 Warning: af-packet: eno1: failed to poll interface: Network is down
Then, the interface is back up a moment later:
[68628 - W#17-eno1] 2024-10-02 08:03:48 Perf: af-packet: eno1: rx ring: block_size=32768 block_nr=6 frame_size=1600 frame_nr=120
Suricata is terminated administratively:
[68539 - Suricata-Main] 2024-10-02 08:11:10 Notice: suricata: Signal Received. Stopping engine.
Suricata logs this message when it detects the NIC isn’t online (there will be one log line for each writer thread):
Warning: af-packet: enp23s0: failed to poll interface: Network is down [ReceiveAFPLoop:source-af-packet.c:1421]
When the interface comes back online and is detected by Suricata, you’ll see this pair of log notices (one for each worker thread):
Info: af-packet: enp23s0: interface is back up [AFPTryReopen:source-af-packet.c:1302]
Perf: af-packet: enp23s0: rx ring: block_size=32768 block_nr=7 frame_size=1600 frame_nr=140 [AFPComputeRingParams:source-af-packet.c:1601]
i have just processed the successful update to 7.0.7 and it seems to be running without interruption thus far. i will repost after this weekend.
Thank you,