error message
i: suricata: This is Suricata version 7.0.9 RELEASE running in SYSTEM mode
W: af-packet: ens33: AF_PACKET tpacket-v3 is recommended for non-inline operation
W: suricata: setrlimit has no effet when running as root.
E: af-packet: ens33: failed to compile BPF “not (host 10.10.9.97 or host 10.10.9.102)”: snaplen of 0 rejects all packets
E: af-packet: ens33: failed to init socket for interface
E: threads: thread “W#01-ens33” failed to start: flags 0423
[38812 - Suricata-Main] 2025-03-31 11:12:43 Notice: suricata: This is Suricata version 7.0.9 RELEASE running in SYSTEM mode
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: cpu: CPUs/cores online: 2
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: suricata: Setting engine mode to IDS mode by default
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: exception-policy: master exception-policy set to: auto
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: conf: Running in live mode, activating unix socket
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: logopenfile: eve-log output device (regular) initialized: eve-%Y%m%d.json
[38812 - Suricata-Main] 2025-03-31 11:12:43 Info: conf: Running in live mode, activating unix socket
[38812 - Suricata-Main] 2025-03-31 11:12:44 Info: detect-fast-pattern: fast_pattern is ineffective with base64_data
[38812 - Suricata-Main] 2025-03-31 11:12:45 Info: detect-fast-pattern: fast_pattern is ineffective with base64_data
[38812 - Suricata-Main] 2025-03-31 11:12:47 Info: detect: 1 rule files processed. 42577 rules successfully loaded, 0 rules failed, 0
[38812 - Suricata-Main] 2025-03-31 11:12:47 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[38812 - Suricata-Main] 2025-03-31 11:12:47 Info: detect: 42580 signatures processed. 1285 are IP-only rules, 4334 are inspecting packet payload, 36744 inspect application layer, 109 are decoder event only
[38812 - Suricata-Main] 2025-03-31 11:12:51 Warning: af-packet: ens33: AF_PACKET tpacket-v3 is recommended for non-inline operation
[38812 - Suricata-Main] 2025-03-31 11:12:51 Info: runmodes: ens33: creating 2 threads
[38812 - Suricata-Main] 2025-03-31 11:12:51 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[38812 - Suricata-Main] 2025-03-31 11:12:51 Warning: suricata: setrlimit has no effet when running as root.
[38863 - W#01-ens33] 2025-03-31 11:12:51 Info: af-packet: ens33: using BPF ‘not (host 10.10.9.97 or host 10.10.9.102)’
[38863 - W#01-ens33] 2025-03-31 11:12:51 Error: af-packet: ens33: failed to compile BPF “not (host 10.10.9.97 or host 10.10.9.102)”: snaplen of 0 rejects all packets
[38863 - W#01-ens33] 2025-03-31 11:12:51 Error: af-packet: ens33: failed to init socket for interface
[38812 - Suricata-Main] 2025-03-31 11:12:51 Error: threads: thread “W#01-ens33” failed to start: flags 0423
Hi!
This is a known issue and led to a quick follow-up release of Suricata 7.0.10. Please check the announcement here: Suricata 7.0.10 released
Please upgrade to 7.0.10 and let us know how it goes.
After the version is upgraded to 7.0.10, it can start normally, but the bpf filter does not take effect, and the log of host 10.10.9.97 or host 10.10.9.102 is still in eve.json
Sorry it is my configuration problem Now it has been properly configured and can be used normally