so-suricata missing after hypervisor reboot: "failed to find interface: No such device"

[S6T0Sa0B1v]

Version

2.4.110

Installation Method

Network installation on Ubuntu (unsupported)

Description

configuration

Installation Type

Standalone

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

500

Storage for /nsm

150

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello Security Onion,

I wanted to open a thread for an issue my company has been having with so-suricata ever since we rebooted the cloud VM that our Onion instance runs on from the hypervisor. We scheduled that reboot to provision additional memory for the machine to fix issues with so-elasticsearch, but since that time so-suricata has consistently shown as missing in the output of sudo so-status. I believe that the issue stems from the configuration/naming of the NICs on the device since that reboot and wanted to verify whether that is the case.

The output of /opt/so/log/suricata/suricata.log after the latest attempt to restart so-suricata reads as follows:

[11 - Suricata-Main] 2024-11-20 16:45:26 Error: af-packet: enP64133s1: failed to find interface type: No such device
[11 - Suricata-Main] 2024-11-20 16:45:26 Info: runmodes: enP64133s1: creating 1 thread
[12 - W#01-enP64133s1] 2024-11-20 16:45:26 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[12 - W#01-enP64133s1] 2024-11-20 16:45:26 Notice: log-pcap: Ring buffer initialized with 129 files.
[11 - Suricata-Main] 2024-11-20 16:45:26 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[12 - W#01-enP64133s1] 2024-11-20 16:45:26 Error: af-packet: enP64133s1: failed to find interface: No such device
[12 - W#01-enP64133s1] 2024-11-20 16:45:26 Error: af-packet: enP64133s1: failed to init socket for interface
[11 - Suricata-Main] 2024-11-20 16:45:26 Error: threads: thread "W#01-enP64133s1" failed to start: flags 0423

Previous reading suggests that this error code suggests an issue with the NIC that af-packet is attempting to use, i.e. enP64133s1.

nmcli connection show for the Ubuntu VM reads as follows;

NAME                UUID                                  TYPE      DEVICE
Wired connection 1  9c242afa-9580-39ed-aba4-753808797c26  ethernet  enP33461s1
docker0             2ae2498c-1170-4cfd-a112-b65f50a737ea  bridge    docker0
sobridge            99d02c76-e68a-43bc-968c-3e4033f88e9f  bridge    sobridge
enP64133s1          bcd446c9-d782-4cb1-b8fa-e4be095beeaf  ethernet  --

This seems to confirm that there is no physical device associated with the NIC name that af-packet is configured to use. I believe that this likely happened as a result of the operational NIC being renamed when we rebooted the VM from the hypervisor. If that is the case, what would be the easiest/most practical way to point Suricata / af-packet to the functional NIC? Any guidance that you could provide on this point would be very much appreciated, and again I understand that the version we have implemented is not formally supported.

Thank you!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

By default, Suricata would be listening on the bond interface bond0 -- you need to update the configuration of that bond interface to remove the old NIC and add the new one.

You may find this documentation helpful: https://help.ubuntu.com/community/UbuntuBonding