I want to start monitoring my network traffic and I’ve picked suricata. But after configuring it I cannot start the service. I was following this tutorial: https://youtu.be/xXte5RplzBc
I’m currently running Devuan, so at first I thought this is a lack of systemd issue, but after some reading it might look as bad config. When I try to sudo service suricata start I get:
suricata disabled, please adjust the configuration to your needs ... failed!
and then set RUN to 'yes' in /etc/default/suricata to enable it. ... failed!
The only thing that I have changed in the default config was:
- changing HOME_NET IP
- changing default-log-dir location
- changing af-packet interface from eth0 to what I’m using
- adding aditional wireguard interface to af-packet
I tried to run the binary manually with sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -D but it returns version/options instead of starting the deamon:
Suricata 6.0.10
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v : be more verbose (use multiple times to increase verbosity)
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--dump-features : display provided features
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--simulate-ips : force engine into IPS mode. Useful for QA
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control suricata work
--reject-dev <dev> : send reject packets from this interface
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0