Please include the following information with your help request:
- Suricata version: 7.0.10 and 8.0.0
- Operating system and/or Linux distribution: Ubuntu 22
- How you installed Suricata (from source, packages, something else): ppa:oisf/suricata-stable and ppa:oisf/suricata-beta
Hi! Recently I upgraded to the beta Suricata 8.0.0 version since I am interested in the output buffering feature introduced in the beta - but, i’m encountering some basic issues with getting alerts from the ET Pro ruleset to be triggered while in IDS mode. Through some trial and error, it seems like my 8.0.0 deployment will trigger alerts from the default Suricata rules (i.e. usr/share/suricata/rules/*
), but not from any other rulesets, even through everything indicates they are loaded.
To test this I went back to the basics - i set up two identical VMs running Ubuntu 22. on VM 1
, i ran:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt install suricata=1:7.0.10-0ubuntu1
on VM 2
, i ran:
sudo add-apt-repository ppa:oisf/suricata-beta
sudo apt install suricata=1:8.0.0~beta1-0ubuntu29
then for each one, the only thing i touched in /etc/suricata/suricata.yaml
was the interface
for af-packet
to match my interface (which has the same name on both VMs, enp6s18
):
# Linux high speed capture support
af-packet:
- interface: enp6s18
i left everything else as is. (i can provide my suricata.yaml
files for both VMs)
then on both VMs, i used suricata-update
to add the et/pro
ruleset:
sudo suricata-update update-sources
sudo suricata-update enable-source et/pro secret-code=<code>
and finally ran suricata-update
which produced the following successful output on both VMs:
VM 1 (running Suricata 7.0.10)
$ suricata-update
20/5/2025 -- 20:59:53 - <Info> -- Using data-directory /var/lib/suricata.
20/5/2025 -- 20:59:53 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
20/5/2025 -- 20:59:53 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
20/5/2025 -- 20:59:53 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata.
20/5/2025 -- 20:59:53 - <Info> -- Loading /etc/suricata/suricata.yaml
20/5/2025 -- 20:59:53 - <Info> -- Disabling rules for protocol pgsql
20/5/2025 -- 20:59:53 - <Info> -- Disabling rules for protocol modbus
20/5/2025 -- 20:59:53 - <Info> -- Disabling rules for protocol dnp3
20/5/2025 -- 20:59:53 - <Info> -- Disabling rules for protocol enip
20/5/2025 -- 20:59:53 - <Info> -- Fetching https://rules.emergingthreatspro.com/<secret-code>/suricata-7.0.10/etpro.rules.tar.gz.
100% - 10946876/10946876
20/5/2025 -- 20:59:55 - <Info> -- Done.
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
20/5/2025 -- 20:59:55 - <Info> -- Ignoring file f994c46ff0cd7e588d6f6ed7616a2a09/rules/deleted.rules
20/5/2025 -- 20:59:59 - <Info> -- Loaded 106927 rules.
20/5/2025 -- 21:00:00 - <Info> -- Disabled 13 rules.
20/5/2025 -- 21:00:00 - <Info> -- Enabled 0 rules.
20/5/2025 -- 21:00:00 - <Info> -- Modified 0 rules.
20/5/2025 -- 21:00:00 - <Info> -- Dropped 0 rules.
20/5/2025 -- 21:00:00 - <Info> -- Enabled 193 rules for flowbit dependencies.
20/5/2025 -- 21:00:00 - <Info> -- Backing up current rules.
20/5/2025 -- 21:00:03 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 106927; enabled: 80436; added: 47757; removed 0; modified: 14
20/5/2025 -- 21:00:03 - <Info> -- Writing /var/lib/suricata/rules/classification.config
20/5/2025 -- 21:00:03 - <Info> -- Testing with suricata -T.
20/5/2025 -- 21:00:53 - <Info> -- Done.
VM 2 (running Suricata 8.0.0)
$ suricata-update
20/5/2025 -- 22:30:57 - <Info> -- Using data-directory /var/lib/suricata.
20/5/2025 -- 22:30:57 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
20/5/2025 -- 22:30:57 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
20/5/2025 -- 22:30:57 - <Info> -- Found Suricata version 8.0.0-beta1 at /usr/bin/suricata.
20/5/2025 -- 22:30:57 - <Info> -- Loading /etc/suricata/suricata.yaml
20/5/2025 -- 22:30:57 - <Info> -- Disabling rules for protocol pgsql
20/5/2025 -- 22:30:57 - <Info> -- Disabling rules for protocol modbus
20/5/2025 -- 22:30:57 - <Info> -- Disabling rules for protocol dnp3
20/5/2025 -- 22:30:57 - <Info> -- Disabling rules for protocol enip
20/5/2025 -- 22:30:57 - <Info> -- Fetching https://rules.emergingthreatspro.com/<secret-code>/suricata-8.0.0/etpro.rules.tar.gz.
100% - 10946876/10946876
20/5/2025 -- 22:31:02 - <Info> -- Done.
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
20/5/2025 -- 22:31:02 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
20/5/2025 -- 22:31:03 - <Info> -- Ignoring file d23584343e24cba2b0f7929ce2d08557/rules/deleted.rules
20/5/2025 -- 22:31:06 - <Info> -- Loaded 106934 rules.
20/5/2025 -- 22:31:07 - <Info> -- Disabled 13 rules.
20/5/2025 -- 22:31:07 - <Info> -- Enabled 0 rules.
20/5/2025 -- 22:31:07 - <Info> -- Modified 0 rules.
20/5/2025 -- 22:31:07 - <Info> -- Dropped 0 rules.
20/5/2025 -- 22:31:07 - <Info> -- Enabled 193 rules for flowbit dependencies.
20/5/2025 -- 22:31:07 - <Info> -- Backing up current rules.
20/5/2025 -- 22:31:10 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 106934; enabled: 80443; added: 47757; removed 0; modified: 14
20/5/2025 -- 22:31:10 - <Info> -- Writing /var/lib/suricata/rules/classification.config
20/5/2025 -- 22:31:10 - <Info> -- Testing with suricata -T.
20/5/2025 -- 22:31:28 - <Info> -- Done.
then i started up Suricata on both VMs:
sudo systemctl enable suricata.service
sudo service suricata start
sudo service suricata status
and verified they both started up without errors (i can provide my suricata.log
and suricata-start.log
files for both VMs). in particular, i checked the rules were all loaded in correctly:
VM 1 (Suricata 7.0.10)
219360 - Suricata-Main] 2025-05-20 21:34:02 Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules
[219360 - Suricata-Main] 2025-05-20 21:34:17 Info: detect: 1 rule files processed. 80436 rules successfully loaded, 0 rules failed, 0
[219360 - Suricata-Main] 2025-05-20 21:34:17 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[219360 - Suricata-Main] 2025-05-20 21:34:17 Info: detect: 80439 signatures processed. 1222 are IP-only rules, 11465 are inspecting packet payload, 67527 inspect application layer, 109 are decoder event only
VM 2 (Suricata 8.0.0)
[5089 - Suricata-Main] 2025-05-20 21:33:34 Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules
[5089 - Suricata-Main] 2025-05-20 21:33:50 Info: detect: 1 rule files processed. 80443 rules successfully loaded, 0 rules failed, 0 rules skipped
[5089 - Suricata-Main] 2025-05-20 21:33:50 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[5089 - Suricata-Main] 2025-05-20 21:33:50 Info: detect: 80446 signatures processed. 1222 are IP-only rules, 11465 are inspecting packet payload, 67533 inspect application layer, 110 are decoder event only
then, following the quickstart guide, i tested each VM’s Suricata deployment by running curl http://testmynids.org/uid/index.html
and opening fast.log
.
In VM 1 (running 7.0.10) fast.log
, i see the expected alert:
05/20/2025-21:45:20.552304 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.155.192.31:80 -> <IP>:53192
but in VM 2 (running 8.0.0), the alert doesn’t show up at all.
I double checked that the signature is present in the rules file for both VMs:
VM 1 (Suricata 7.0.10)
$ cat /var/lib/suricata/rules/suricata.rules | grep "GPL ATTACK_RESPONSE id check returned root"
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
VM 2 (Suricata 8.0.0)
$ cat /var/lib/suricata/rules/suricata.rules | grep "GPL ATTACK_RESPONSE id check returned root"
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
I also double checked the output of suricatasc -c ruleset-stats
:
VM 1 (Suricata 7.0.10)
$ suricatasc -c ruleset-stats
{"message": [{"id": 0, "rules_loaded": 80436, "rules_failed": 0, "rules_skipped": 0}], "return": "OK"}
VM 2 (Suricata 8.0.0)
$ suricatasc -c ruleset-stats
{"message":[{"id":0,"rules_loaded":80443,"rules_failed":0,"rules_skipped":0}],"return":"OK"}
I tried triggering a couple more types of signatures from the et/pro
ruleset using a tREX server and observed the same behavior - it always produced an alert in VM 1 running 7.0.10, but never produced an alert in VM 2 running 8.0.0. Also, the packet counts in /var/log/suricata/stats.log
did similarly increase in both VMs, i so i’m certain they were both successfully receiving the traffic in the same way (i confirmed this as well with tcpdump
).
However, i was able to get VM 2 with Suricata 8.0.0 to trigger an alert when I sent a packet matching a signature from Suricata’s default rules - specifically, this signature from /usr/share/suricata/rules/decoder-events.rules
:
alert pkthdr any any -> any any (msg:"SURICATA NULL pkt too small"; decode-event:ltnull.pkt_too_small; classtype:protocol-command-decode; sid:2200103; rev:2;)
from another machine, i ran hping3 -d 0 -c 1 -0 <VM IP>
twice, once for each VM, and both showed the corresponding alert in their fast.log
:
VM 1 (Suricata 7.0.10) fast.log:
05/20/2025-22:04:24.719954 [**] [1:2200033:2] SURICATA TCP packet too small [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} <IP>:0 -> <VM IP>:0
VM 2 (Suricata 8.0.0) fast.log:
05/20/2025-22:04:24.719954 [**] [1:2200033:2] SURICATA TCP packet too small [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} <IP>:0 -> <VM IP>:0
so, this pretty much points to it being an issue with trying to trigger signatures from non-default rulesets when using Suricata 8.0.0 (i ultimately tried using both et/pro
and tgreen/hunting
and got the same result). the behavior seems to pretty much be indicating that at some point i incorrectly configured and loaded these rulesets - but the logs and suricatasc
output show everything as expected. I did also try running suricatasc -c ruleset-reload-rules
and suricatasc -c reload-rules
for good measure, but didn’t see any difference in the behavior.
I feel like this must be some silly mistake I’ve done or something I’ve overlooked, but after spending a few days debugging I’m totally stumped. I did take a look at the 8.0.0 changes described on the ‘Upgrading’ page in the docs, but didn’t catch anything that seemed related (i am pretty new to Suricata, so I definitely might’ve missed something). I checked whether there was anything related to suricata-update
as well, but I confirmed in both VMs I am using the latest version of it (1.3.4
).
thank you in advance for anyone willing to read through this and make any suggestions! I have spent the last few months learning about Suricata and tuning it for my use case, and have really enjoyed the learning process. i’m excited to continue the process and hopefully take advantage of the new features in v8!
(i will also try to upload the files i mentioned above as a comment - it seems I’m still too new of a user to do it in this initial post)