I want to learn and manipulate it.
I found that file under “/usr/local/src/suricata-5.0.3/etc/suricata.service” directory and then copied it:
# cp /usr/local/src/suricata-5.0.3/etc/suricata.service /etc/systemd/system/
The content of file is:
# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
After it, I created a shortcut of suricata:
# ln -s /usr/bin/suricata /sbin/suricata
But I can’t run the service:
[root@localhost ~]# systemctl start suricata
[root@localhost ~]# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2020-09-09 15:45:49 EDT; 4s ago
Process: 11473 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAI>
Process: 11472 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 11473 (code=exited, status=1/FAILURE)
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --simulate-ips : force engine into IPS mode. Useful for>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --user <user> : run suricata as this user after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --group <group> : run suricata as this group after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --erf-in <path> : process an ERF file
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --unix-socket[=<file>] : use unix socket to control suricata wo>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --set name=value : set a configuration value
Sep 09 15:45:49 localhost.localdomain suricata[11473]: To run the engine with default configuration on interface eth0 with signature file "s>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Failed with result 'exit-code'.
The “journalctl -xe” command show me:
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --list-runmodes
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --engine-analysis : print reports on analysis of different>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: Please have a look at the conf paramet>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: can be printed
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --pidfile <file> : write pid to this file
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --init-errors-fatal : enable fatal failure on signature init>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --disable-detection : disable detection engine
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --dump-config : show the running configuration
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --build-info : display build information
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --pcap[=<dev>] : run in pcap mode, no value select inte>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --pcap-file-continuous : when running in pcap mode with a direc>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --pcap-file-delete : when running in replay mode (-r with d>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --pcap-buffer-size : size of the pcap buffer value from 0 ->
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --af-packet[=<dev>] : run in af-packet mode, no value select>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --simulate-ips : force engine into IPS mode. Useful for>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --user <user> : run suricata as this user after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --group <group> : run suricata as this group after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --erf-in <path> : process an ERF file
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --unix-socket[=<file>] : use unix socket to control suricata wo>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: --set name=value : set a configuration value
Sep 09 15:45:49 localhost.localdomain suricata[11473]: To run the engine with default configuration on interface eth0 with signature file "s>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Failed with result 'exit-code'.
What is my problem?
Suricata-IDS can run manually:
# suricata -q0
9/9/2020 -- 15:54:31 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
9/9/2020 -- 15:54:31 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
Thank you.