Suricata doesn't start
1,414 views
Skip to first unread message
nOBEL jUNG
Sep 11, 2019, 11:13:58 PM9/11/19
to Wazuh mailing list
Hello,
Accoriding to Wazuh 3.8 manual, I installed suricata without any issues.
But it doesn't start when I checked the status as following.
I did googling which concerns about suricata configuration on the wazuh manual.
cd /root yum -y install epel-release wget jq curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo yum -y install suricata wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar zxvf emerging.rules.tar.gz rm /etc/suricata/rules/* -f mv rules/*.rules /etc/suricata/rules/ rm -f /etc/suricata/suricata.yaml wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml systemctl daemon-reload systemctl enable suricata systemctl start suricata
#systemctl status suricata
..........................
Sep 12 02:44:19 localhost.localdomain suricata[17131]: [17131] <Notice> -- all 1 packet processing threads, 4...ted.
Sep 12 02:44:19 localhost.localdomain suricata[17131]: [17146] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] -...vice
Sep 12 02:44:19 localhost.localdomain suricata[17131]: 12/9/2019 -- 02:44:19 - <Error> - [ERRCODE: SC_ERR_AFP...vice
Sep 12 02:44:19 localhost.localdomain suricata[17131]: [17146] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] -...rror
Sep 12 02:44:19 localhost.localdomain suricata[17131]: 12/9/2019 -- 02:44:19 - <Error> - [ERRCODE: SC_ERR_AFP...rror
Sep 12 02:44:19 localhost.localdomain suricata[17131]: 12/9/2019 -- 02:44:19 - <Error> - [ERRCODE: SC_ERR_FAT...iled
Sep 12 02:44:19 localhost.localdomain suricata[17131]: [17131] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thre...iled
Sep 12 02:44:19 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=...LURE
Sep 12 02:44:19 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
...............
Many thanks,
Nobel
Sergio Peral
Sep 12, 2019, 9:09:16 AM9/12/19
to nOBEL jUNG, Wazuh mailing list
Hi Nobel,
Seems like those error logs are truncated. Could you share the whole logs with us? In addition, what's the OS you're running?
Regards,
Sergio.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0e5434dd-7267-4164-8708-69cdf2887cac%40googlegroups.com.
Jose Antonio Izquierdo
Sep 12, 2019, 9:23:15 AM9/12/19
to Wazuh mailing list
Hi Nobel,
Did you Check the interface that you are using? usually these errors are related to a bad interface name when you try to start Suricata.
Also, please, remember to review our OwlH project that will help you to manage Suricata and Zeek from a Web User Interface. www.owlh.net
Among others, it will allow you to define the network interface that you will use, will simplify your ruleset management and other configuration tips.
Thanks,
Jose Antonio Izquierdo
Jose Antonio Izquierdo
Sep 14, 2019, 1:55:46 AM9/14/19
to Wazuh mailing list
Hi NOBEL,
As per your email before, please try this.
check this:
# cat /var/log/suricata/eve.json
if you can see some lines, try this
# cat /var/log/suricata/eve.json | grep myids
Personally I don't like fast.log file.
If you don't have any lines, verify the rules are in place. /etc/suricata/rules
you can see how many rules are loaded starting suricata from command line.
# SC_LOG_LEVEL=Debug suricata -c /etc/suricata/suricata.yaml -i eth0 | grep "signatures processed"
14/9/2019 -- 05:46:38 - <Info> - 18973 signatures processed. 1176 are IP-only rules, 6207 are inspecting packet payload, 13790 inspect application layer, 0 are decoder event only
14/9/2019 -- 05:46:38 - <Info> - 18973 signatures processed. 1176 are IP-only rules, 6207 are inspecting packet payload, 13790 inspect application layer, 0 are decoder event only
run the command in green and you should see a line like the one in red.
On Sat, Sep 14, 2019 at 2:50 AM NOBEL <datate...@gmail.com> wrote:
Hi Jose,I agree that, so I congfigured a network interface correctly.It works but there is no any event after a triggering as the manual.I work under CentOS 7.6 and Wazuh 3.6.1.
nOBEL jUNG
Sep 14, 2019, 8:47:54 AM9/14/19
to Wazuh mailing list
Hello again,
I did as you advice.
..................
[root@localhost rules]# cat /var/log/suricata/eve.json
[root@localhost rules]# ls
botcc.portgrouped.rules emerging-misc.rules
botcc.rules emerging-mobile_malware.rules
ciarmy.rules emerging-netbios.rules
compromised.rules emerging-p2p.rules
drop.rules emerging-policy.rules
dshield.rules emerging-pop3.rules
emerging-activex.rules emerging-rpc.rules
emerging-attack_response.rules emerging-scada.rules
emerging-chat.rules emerging-scan.rules
emerging-current_events.rules emerging-shellcode.rules
emerging-deleted.rules emerging-smtp.rules
emerging-dns.rules emerging-snmp.rules
emerging-dos.rules emerging-sql.rules
emerging-exploit.rules emerging-telnet.rules
emerging-exploit.rules.bak emerging-tftp.rules
emerging-ftp.rules emerging-trojan.rules
emerging-games.rules emerging-user_agents.rules
emerging-icmp_info.rules emerging-voip.rules
emerging-icmp.rules emerging-web_client.rules
emerging-imap.rules emerging-web_server.rules
emerging-inappropriate.rules emerging-web_specific_apps.rules
emerging-info.rules emerging-worm.rules
emerging-malware.rules tor.rules
[root@localhost rules]# SC_LOG_LEVEL=Debug suricata -c /etc/suricata/suricata.yaml -i enp3s0 | grep "signatures processed"
14/9/2019 -- 21:43:29 - <Info> - 14363 signatures processed. 1260 are IP-only rules, 4189 are inspecting packet payload, 10460 inspect application layer, 0 are decoder event only
^Z
[5]+ Stopped SC_LOG_LEVEL=Debug suricata -c /etc/suricata/suricata.yaml -i enp3s0 | grep --color=auto "signatures processed"
[root@localhost rules]#
[root@localhost rules]# ls
botcc.portgrouped.rules emerging-misc.rules
botcc.rules emerging-mobile_malware.rules
ciarmy.rules emerging-netbios.rules
compromised.rules emerging-p2p.rules
drop.rules emerging-policy.rules
dshield.rules emerging-pop3.rules
emerging-activex.rules emerging-rpc.rules
emerging-attack_response.rules emerging-scada.rules
emerging-chat.rules emerging-scan.rules
emerging-current_events.rules emerging-shellcode.rules
emerging-deleted.rules emerging-smtp.rules
emerging-dns.rules emerging-snmp.rules
emerging-dos.rules emerging-sql.rules
emerging-exploit.rules emerging-telnet.rules
emerging-exploit.rules.bak emerging-tftp.rules
emerging-ftp.rules emerging-trojan.rules
emerging-games.rules emerging-user_agents.rules
emerging-icmp_info.rules emerging-voip.rules
emerging-icmp.rules emerging-web_client.rules
emerging-imap.rules emerging-web_server.rules
emerging-inappropriate.rules emerging-web_specific_apps.rules
emerging-info.rules emerging-worm.rules
emerging-malware.rules tor.rules
[root@localhost rules]# SC_LOG_LEVEL=Debug suricata -c /etc/suricata/suricata.yaml -i enp3s0 | grep "signatures processed"
14/9/2019 -- 21:43:29 - <Info> - 14363 signatures processed. 1260 are IP-only rules, 4189 are inspecting packet payload, 10460 inspect application layer, 0 are decoder event only
^Z
[5]+ Stopped SC_LOG_LEVEL=Debug suricata -c /etc/suricata/suricata.yaml -i enp3s0 | grep --color=auto "signatures processed"
[root@localhost rules]#
.
Many thanks,
Nobel Jung
2019년 9월 14일 토요일 오후 2시 55분 46초 UTC+9, Jose Antonio Izquierdo 님의 말:
Jose Antonio Izquierdo
Sep 14, 2019, 11:54:08 AM9/14/19
to Wazuh mailing list
Hi, thanks
looks good.
how many interfaces do you have in your host?
# ip a
is enp3s0 the right interface?
It is really strange that no info is sent to eve.json file.
please check any errors in your suricata.log file
# cat /var/log/suricata/suricata.log | grep Error
Also, please, try to find the latest modified logfile from Suricata, it may give you some clue about its status.
# ls -lrt /var/log/suricata/
and be sure that Suricata is running.
# ps -ef | grep suricata
root 3482 1 0 05:44 ? 00:03:54 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
Thanks
nOBEL jUNG
Sep 15, 2019, 10:04:59 AM9/15/19
to Wazuh mailing list
Hello,
Many thanks for your concern.
There is no eth0 in my CentOS but enps0.
So I changed all eth0 as enpso in all files in /etc/suricata/
Below is your request.
...............
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:4c:38:90:46 brd ff:ff:ff:ff:ff:ff
inet 172.30.1.11/24 brd 172.30.1.255 scope global noprefixroute dynamic enp3s0
valid_lft 2587sec preferred_lft 2587sec
inet6 fe80::afc:9c09:3be5:3fcb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:60:97:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:60:97:9d brd ff:ff:ff:ff:ff:ff
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:4c:38:90:46 brd ff:ff:ff:ff:ff:ff
inet 172.30.1.11/24 brd 172.30.1.255 scope global noprefixroute dynamic enp3s0
valid_lft 2587sec preferred_lft 2587sec
inet6 fe80::afc:9c09:3be5:3fcb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:60:97:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:60:97:9d brd ff:ff:ff:ff:ff:ff
..............
[root@localhost suricata]# cat /var/log/suricata/suricata.log | grep Error
cat: /var/log/suricata/suricata.log: No such file or directory
cat: /var/log/suricata/suricata.log: No such file or directory
................
[root@localhost suricata]# ls -lrt /var/log/suricata/
total 28
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 unified2.alert.1568420698
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 tls.log
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 fast.log
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 eve.json
drwxr-x--- 2 suricata suricata 6 Sep 14 09:25 certs
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:32 unified2.alert.1568421172
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:37 unified2.alert.1568421465
-rw-r--r-- 1 root root 0 Sep 14 21:39 unified2.alert.1568464757
-rw-r--r-- 1 root root 0 Sep 14 21:40 unified2.alert.1568464804
-rw-r--r-- 1 root root 0 Sep 14 21:40 unified2.alert.1568464855
-rw-r--r-- 1 suricata suricata 22984 Sep 14 21:42 stats.log
-rw-r--r-- 1 root root 0 Sep 14 21:43 unified2.alert.1568465005
-rw-r--r-- 1 suricata suricata 1016 Sep 14 21:43 http.log
-rw-r--r-- 1 suricata suricata 0 Sep 15 09:13 unified2.alert.1568506415
-rw-r--r-- 1 suricata suricata 0 Sep 15 22:35 unified2.alert.1568554551
total 28
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 unified2.alert.1568420698
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 tls.log
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 fast.log
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:24 eve.json
drwxr-x--- 2 suricata suricata 6 Sep 14 09:25 certs
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:32 unified2.alert.1568421172
-rw-r--r-- 1 suricata suricata 0 Sep 14 09:37 unified2.alert.1568421465
-rw-r--r-- 1 root root 0 Sep 14 21:39 unified2.alert.1568464757
-rw-r--r-- 1 root root 0 Sep 14 21:40 unified2.alert.1568464804
-rw-r--r-- 1 root root 0 Sep 14 21:40 unified2.alert.1568464855
-rw-r--r-- 1 suricata suricata 22984 Sep 14 21:42 stats.log
-rw-r--r-- 1 root root 0 Sep 14 21:43 unified2.alert.1568465005
-rw-r--r-- 1 suricata suricata 1016 Sep 14 21:43 http.log
-rw-r--r-- 1 suricata suricata 0 Sep 15 09:13 unified2.alert.1568506415
-rw-r--r-- 1 suricata suricata 0 Sep 15 22:35 unified2.alert.1568554551
[root@localhost suricata]# systemctl start suricata
[root@localhost suricata]# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-09-15 22:59:19 KST; 4s ago
Docs: man:suricata(1)
Process: 7176 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 7179 (Suricata-Main)
Tasks: 1
CGroup: /system.slice/suricata.service
└─7179 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost suricata]# ps -ef |grep suricata
root 7270 5858 0 23:00 pts/1 00:00:00 grep --color=auto suricata
[root@localhost suricata]# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-09-15 22:59:19 KST; 4s ago
Docs: man:suricata(1)
Process: 7176 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 7179 (Suricata-Main)
Tasks: 1
CGroup: /system.slice/suricata.service
└─7179 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Sep 15 22:59:22 localhost.localdomain suricata[7179]: [7179] <Warning> -- ...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost suricata]# ps -ef |grep suricata
root 7270 5858 0 23:00 pts/1 00:00:00 grep --color=auto suricata
..................
after a few minutes, it down as below.
[root@localhost suricata]# systemctl status suricata -l
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2019-09-15 22:59:27 KST; 3min 37s ago
Docs: man:suricata(1)
Process: 7179 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 7176 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 7179 (code=exited, status=1/FAILURE)
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7179] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7202] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7202] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7179] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Sep 15 22:59:27 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=1/FAILURE
Sep 15 22:59:27 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
Sep 15 22:59:27 localhost.localdomain systemd[1]: suricata.service failed.
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2019-09-15 22:59:27 KST; 3min 37s ago
Docs: man:suricata(1)
Process: 7179 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 7176 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 7179 (code=exited, status=1/FAILURE)
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7179] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7202] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7202] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 22:59:27 localhost.localdomain suricata[7179]: 15/9/2019 -- 22:59:27 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Sep 15 22:59:27 localhost.localdomain suricata[7179]: [7179] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Sep 15 22:59:27 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=1/FAILURE
Sep 15 22:59:27 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
Sep 15 22:59:27 localhost.localdomain systemd[1]: suricata.service failed.
..........
I do appreciate your time.
Nobel Jung
2019년 9월 15일 일요일 오전 12시 54분 8초 UTC+9, Jose Antonio Izquierdo 님의 말:
jose antonio izquierdo lopez
Sep 15, 2019, 11:35:00 AM9/15/19
to Wazuh mailing list
Hi Nobel,
So Suricata isn't working really. It seems that is still trying to use eth0 as your main interface
try this way to start Suricata and let me know if it works better.
# suricata -c /etc/suricata/suricata.yaml -i enp3s0 >> /dev/null 2>&1 &If this works, and you want to use Suricata for production, I will suggest you review your sniffing strategy, think about using a port Mirror or SPAN port, Use a two network interfaces system, etc.
Monitor you Suricata with
# ps -ef |grep suricataAnd Monitor again your /var/log/suricata files like suricata.log and eve.json.
If Suricata keeps working, then try
# curl testmyids.com And you should see the alert in your kibana dashboard.
nOBEL jUNG
Sep 15, 2019, 7:40:27 PM9/15/19
to Wazuh mailing list
Hello Jose,
I did as you advice, but the same result under another PC having w1p2s0 interface.
It is still looking for eth0.
..............
[root@localhost ~]# suricata -c /etc/suricata/suricata.yaml -i wlp2s0 >> /dev/null 2>&1 &
[5] 7622
[root@localhost ~]# systemctl status suricata -l
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2019-09-15 23:31:32 KST; 3min 28s ago
Docs: man:suricata(1)
Process: 7400 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 7398 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 7400 (code=exited, status=1/FAILURE)
Sep 15 23:31:32 localhost.localdomain suricata[7400]: 15/9/2019 -- 23:31:32 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 15 23:31:32 localhost.localdomain suricata[7400]: [7400] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Sep 15 23:31:32 localhost.localdomain suricata[7400]: 15/9/2019 -- 23:31:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 23:31:32 localhost.localdomain suricata[7400]: [7417] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Sep 15 23:31:32 localhost.localdomain suricata[7400]: 15/9/2019 -- 23:31:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 23:31:32 localhost.localdomain suricata[7400]: [7417] <Error> -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Sep 15 23:31:32 localhost.localdomain suricata[7400]: 15/9/2019 -- 23:31:32 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Sep 15 23:31:32 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=1/FAILURE
Sep 15 23:31:32 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
Sep 15 23:31:32 localhost.localdomain systemd[1]: suricata.service failed.
---------------
[root@localhost ~]# ps -ef |grep suricata
root 7108 6814 2 23:30 pts/1 00:00:11 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7285 6814 2 23:31 pts/1 00:00:08 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7521 6814 2 23:31 pts/1 00:00:06 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7597 6814 3 23:33 pts/1 00:00:05 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7622 6814 5 23:34 pts/1 00:00:05 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7678 6814 0 23:36 pts/1 00:00:00 grep --color=auto suricata
..............
I do appreciate your time and concern.
Regards,
Nobel Jung
2019년 9월 16일 월요일 오전 12시 35분 0초 UTC+9, jose antonio izquierdo lopez 님의 말:
jose antonio izquierdo lopez
Sep 16, 2019, 12:48:21 AM9/16/19
to Wazuh mailing list
Hi Nobel,
when you start a program from the command line you shouldn't use systemctl to verify its status, it shows the latest output.
I can see that Suricata is running. well it is running more than once as you have run the command more than once. Please kill Suricata extra process and try to have a single Suricata process running.
[root@localhost ~]# ps -ef |grep suricata
root 7108 6814 2 23:30 pts/1 00:00:11 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7285 6814 2 23:31 pts/1 00:00:08 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7521 6814 2 23:31 pts/1 00:00:06 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7597 6814 3 23:33 pts/1 00:00:05 suricata -c /etc/suricata/suricata.yaml -i wlp2s0
root 7622 6814 5 23:34 pts/1 00:00:05 suricata -c /etc/suricata/suricata.yaml -i wlp2s0Did you verify your Suricata log files?
nOBEL jUNG
Sep 16, 2019, 4:29:24 AM9/16/19
to Wazuh mailing list
Hello Jose,
2019년 9월 16일 월요일 오후 1시 48분 21초 UTC+9, jose antonio izquierdo lopez 님의 말:
I checked it, but there is no any log.
Then after rebooting, I check it and let you know later.
Regards,
Nobel Jung
2019년 9월 16일 월요일 오후 1시 48분 21초 UTC+9, jose antonio izquierdo lopez 님의 말:
nOBEL jUNG
Sep 16, 2019, 6:59:30 PM9/16/19
to Wazuh mailing list
Hello Jose,
I finished successfully thanks to your kind advice.
Because "systemctl status" result makes me hard.
I do appreciate your time and support.
Best regards,
Nobel Jung
2019년 9월 16일 월요일 오후 1시 48분 21초 UTC+9, jose antonio izquierdo lopez 님의 말:
2019년 9월 16일 월요일 오후 1시 48분 21초 UTC+9, jose antonio izquierdo lopez 님의 말:
jose antonio izquierdo lopez
Sep 17, 2019, 2:37:24 AM9/17/19
to Wazuh mailing list
Hi Nobel,
Thanks a lot and please do not hesitate to send us any other question you may have.
We will close this one.
Reply all
Reply to author
Forward
0 new messages