Suricata Problems

Security Intrusion Prevention
1

I was using version 199 and no rule sets were actually getting loaded. I upgraded to version 200 testing this morning. I deleted all rulesets on the web page then added back and selected specific sets under customize ruleset.

Here is the output from IPS logs after I added the ruleset customized sets:

10:36:47 suricata: [6596] – 913 events were dropped due to slow or disconnected socket
10:36:48 suricata: [11915] – This is Suricata version 8.0.3 RELEASE running in SYSTEM mode
10:36:48 suricata: [11915] – CPUs/cores online: 4
10:36:48 suricata: [11915] – master exception-policy set to: pass-packet
10:36:49 suricata: [11915] – NFQ running in REPEAT mode with mark 2147483648/2147483648
10:36:49 suricata: [11915] – dropped the caps for main thread
10:36:49 suricata: [11915] – fast output device (regular) initialized: fast.log
10:36:49 suricata: [11915] – Error connecting to socket “/var/run/suricata/reporter.socket”: No such file or directory (will keep trying)
10:36:49 suricata: [11915] – Setting logging socket of non-blocking in live mode.
10:36:49 suricata: [11915] – eve-log output device (unix_dgram) initialized: /var/run/suricata/reporter.socket
10:36:49 suricata: [11915] – stats output device (regular) initialized: stats.log
10:36:49 suricata: [11915] – Packets will start being processed before signatures are active.
10:36:49 suricata: [11915] – Rule group cache pruning removed 0/4 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:36:49)
10:36:49 suricata: [11915] – unix socket ‘/var/run/suricata/suricata-command.socket’
10:36:49 suricata: [11951] – binding this thread 0 to queue ‘0’
10:36:49 suricata: [11951] – setting queue length to 4096
10:36:49 suricata: [11951] – setting nfnl bufsize to 6144000
10:36:49 suricata: [11956] – binding this thread 1 to queue ‘1’
10:36:49 suricata: [11956] – setting queue length to 4096
10:36:49 suricata: [11956] – setting nfnl bufsize to 6144000
10:36:49 suricata: [11957] – binding this thread 2 to queue ‘2’
10:36:49 suricata: [11957] – setting queue length to 4096
10:36:49 suricata: [11957] – setting nfnl bufsize to 6144000
10:36:49 suricata: [11958] – binding this thread 3 to queue ‘3’
10:36:49 suricata: [11958] – setting queue length to 4096
10:36:49 suricata: [11958] – setting nfnl bufsize to 6144000
10:36:49 suricata: [11915] – Threads created → W: 4 FM: 1 FR: 1 Engine started.
10:36:49 suricata: [11915] – rule reload starting
10:36:49 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:36:49 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:36:49 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:36:49 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:36:49 suricata: [11915] – tenant id 0: 2 rule files processed. 10 rules successfully loaded, 0 rules failed, 0 rules skipped
10:36:49 suricata: [11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:36:49 suricata: [11915] – tenant id 0: 10 signatures processed. 0 are IP-only rules, 2 are inspecting packet payload, 7 inspect application layer, 0 are decoder event only
10:36:50 suricata: [11915] – Rule group caching - loaded: 4 newly cached: 0 total cacheable: 4
10:36:50 suricata: [11915] – Rule group cache pruning removed 0/4 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:36:50)
10:36:50 suricata: [11915] – rule reload complete
10:36:50 suricata: [11915] – Signature(s) loaded, Detect thread(s) activated.
10:37:38 suricata: [11915] – rule reload starting
10:37:38 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:37:38 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:37:38 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:37:38 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:37:39 suricata: [11915] – tenant id 0: 9 rule files processed. 3042 rules successfully loaded, 0 rules failed, 0 rules skipped
10:37:39 suricata: [11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:37:39 suricata: [11915] – tenant id 0: 3045 signatures processed. 302 are IP-only rules, 335 are inspecting packet payload, 2407 inspect application layer, 0 are decoder event only
10:37:39 suricata: [11915] – flowbit ‘ET.ApacheSpark_UnauthRegisterApplication’ is checked but not set. Checked in 2035004 and 0 other sigs
10:37:42 suricata: [11915] – Rule group caching - loaded: 0 newly cached: 30 total cacheable: 30
10:37:42 suricata: [11915] – Rule group cache pruning removed 0/34 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:37:42)
10:37:42 suricata: [11915] – rule reload complete
10:40:31 suricata: [11915] – rule reload starting
10:40:31 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:40:31 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:40:31 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:40:31 suricata: [11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:40:38 suricata: [11915] – tenant id 0: 11 rule files processed. 20742 rules successfully loaded, 0 rules failed, 0 rules skipped
10:40:38 suricata: [11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:40:38 suricata: [11915] – tenant id 0: 20747 signatures processed. 324 are IP-only rules, 2096 are inspecting packet payload, 18322 inspect application layer, 0 are decoder event only
10:40:38 suricata: [11915] – flowbit ‘ET.ApacheSpark_UnauthRegisterApplication’ is checked but not set. Checked in 2035004 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.http.javaclient.vulnerable’ is checked but not set. Checked in 2013036 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.ELFDownload’ is checked but not set. Checked in 2019896 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.DocVBAProject’ is checked but not set. Checked in 2020170 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.MSSQL’ is checked but not set. Checked in 2020569 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.wininet.UA’ is checked but not set. Checked in 2021312 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.MS.XMLHTTP.ip.request’ is checked but not set. Checked in 2022050 and 1 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.MS.XMLHTTP.no.exe.request’ is checked but not set. Checked in 2022053 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.MCOFF’ is checked but not set. Checked in 2022303 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.MS.WinHttpRequest.no.exe.request’ is checked but not set. Checked in 2022653 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.http.binary’ is checked but not set. Checked in 2023741 and 2 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.armwget’ is checked but not set. Checked in 2024242 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2023671 and 7 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.smb.binary’ is checked but not set. Checked in 2027402 and 4 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.Socks5.OnionReq’ is checked but not set. Checked in 2027704 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.http.javaclient’ is checked but not set. Checked in 2015657 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.autoit.ua’ is checked but not set. Checked in 2019165 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘min.gethttp’ is checked but not set. Checked in 2023711 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.generictelegram’ is checked but not set. Checked in 2045614 and 0 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.WebDAVURL’ is checked but not set. Checked in 2049320 and 2 other sigs
10:40:38 suricata: [11915] – flowbit ‘ET.implantjs.syn’ is checked but not set. Checked in 2060257 and 2 other sigs
10:40:38 suricata: [11915] – flowbit ‘http.dottedquadhost’ is checked but not set. Checked in 2067196 and 0 other sigs
10:40:59 suricata: [11915] – Rule group caching - loaded: 0 newly cached: 57 total cacheable: 57

It looks like a lot of errors and missing files. Not being a particular expert in this it looks to me like suricata isn’t actually running correctly.

2

Never mind. It seems to be working when I run curl http://testmynids.org/uid/index.html it shows in the ips logs. Beats me what all the errors were before but it is working now.

3

No errors, just some alerts but nothing to stop suricata from working.

10:36:48 	suricata: 	[11915] – This is Suricata version 8.0.3 RELEASE running in SYSTEM mode
10:36:48 	suricata: 	[11915] – CPUs/cores online: 4
10:36:48 	suricata: 	[11915] – master exception-policy set to: pass-packet
10:36:49 	suricata: 	[11915] – NFQ running in REPEAT mode with mark 2147483648/2147483648
10:36:49 	suricata: 	[11915] – dropped the caps for main thread
10:36:49 	suricata: 	[11915] – fast output device (regular) initialized: fast.log
10:36:49 	suricata: 	[11915] – Error connecting to socket “/var/run/suricata/reporter.socket”: No such file or directory (will keep trying)
10:36:49 	suricata: 	[11915] – Setting logging socket of non-blocking in live mode.
10:36:49 	suricata: 	[11915] – eve-log output device (unix_dgram) initialized: /var/run/suricata/reporter.socket
10:36:49 	suricata: 	[11915] – stats output device (regular) initialized: stats.log
10:36:49 	suricata: 	[11915] – Packets will start being processed before signatures are active.
10:36:49 	suricata: 	[11915] – Rule group cache pruning removed 0/4 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:36:49)
10:36:49 	suricata: 	[11915] – unix socket ‘/var/run/suricata/suricata-command.socket’
10:36:49 	suricata: 	[11951] – binding this thread 0 to queue ‘0’
10:36:49 	suricata: 	[11951] – setting queue length to 4096
10:36:49 	suricata: 	[11951] – setting nfnl bufsize to 6144000
10:36:49 	suricata: 	[11956] – binding this thread 1 to queue ‘1’
10:36:49 	suricata: 	[11956] – setting queue length to 4096
10:36:49 	suricata: 	[11956] – setting nfnl bufsize to 6144000
10:36:49 	suricata: 	[11957] – binding this thread 2 to queue ‘2’
10:36:49 	suricata: 	[11957] – setting queue length to 4096
10:36:49 	suricata: 	[11957] – setting nfnl bufsize to 6144000
10:36:49 	suricata: 	[11958] – binding this thread 3 to queue ‘3’
10:36:49 	suricata: 	[11958] – setting queue length to 4096
10:36:49 	suricata: 	[11958] – setting nfnl bufsize to 6144000
10:36:49 	suricata: 	[11915] – Threads created → W: 4 FM: 1 FR: 1 Engine started.

This is suricata successfully starting.

Then it loads the selected signatures.

10:36:49 	suricata: 	[11915] – rule reload starting
10:36:49 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:36:49 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:36:49 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:36:49 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:36:49 	suricata: 	[11915] – tenant id 0: 2 rule files processed. 10 rules successfully loaded, 0 rules failed, 0 rules skipped
10:36:49 	suricata: 	[11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:36:49 	suricata: 	[11915] – tenant id 0: 10 signatures processed. 0 are IP-only rules, 2 are inspecting packet payload, 7 inspect application layer, 0 are decoder event only
10:36:50 	suricata: 	[11915] – Rule group caching - loaded: 4 newly cached: 0 total cacheable: 4
10:36:50 	suricata: 	[11915] – Rule group cache pruning removed 0/4 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:36:50)
10:36:50 	suricata: 	[11915] – rule reload complete
10:36:50 	suricata: 	[11915] – Signature(s) loaded, Detect thread(s) activated.

At this time there were no signature sets defined so only the standard settings were loaded from the included configuration files giving

10:36:49 	suricata: 	[11915] – tenant id 0: 2 rule files processed. 10 rules successfully loaded, 0 rules failed, 0 rules skipped

as you can see it says here 0 rules failed.

Then you selected a rule provider and selected some rulesets and got the same starting set as previously, with the include files

10:37:38 	suricata: 	[11915] – rule reload starting
10:37:38 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:37:38 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:37:38 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:37:38 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:37:39 	suricata: 	[11915] – tenant id 0: 9 rule files processed. 3042 rules successfully loaded, 0 rules failed, 0 rules skipped
10:37:39 	suricata: 	[11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:37:39 	suricata: 	[11915] – tenant id 0: 3045 signatures processed. 302 are IP-only rules, 335 are inspecting packet payload, 2407 inspect application layer, 0 are decoder event only

This has the line with 9 rule files processes, 3042 rules successfully loaded and 0 rules failed.

This section

10:37:42 	suricata: 	[11915] – Rule group caching - loaded: 0 newly cached: 30 total cacheable: 30
10:37:42 	suricata: 	[11915] – Rule group cache pruning removed 0/34 of HS caches due to version-incompatibility (not v2) or age (older than 2026-02-21 10:37:42)
10:37:42 	suricata: 	[11915] – rule reload complete

is saying that no rules could be loaded from the cache, not surprising when first starting with a cache, but 30 have now been cached out of 30 that were cacheable. So the cache now has content to speed the loading of rulesets in the future.
The second line is saying that there was nothing old enough in the cache to be pruned. As it was empty to start with that is expected. The trigger to remove from the cache is anything older than 7 days.

Then some more rulesets were selected

10:40:31 	suricata: 	[11915] – rule reload starting
10:40:31 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
10:40:31 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
10:40:31 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
10:40:31 	suricata: 	[11915] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
10:40:38 	suricata: 	[11915] – tenant id 0: 11 rule files processed. 20742 rules successfully loaded, 0 rules failed, 0 rules skipped
10:40:38 	suricata: 	[11915] – tenant id 0: Threshold config parsed: 0 rule(s) found
10:40:38 	suricata: 	[11915] – tenant id 0: 20747 signatures processed. 324 are IP-only rules, 2096 are inspecting packet payload, 18322 inspect application layer, 0 are decoder event only
10:40:38 	suricata: 	[11915] – flowbit ‘ET.ApacheSpark_UnauthRegisterApplication’ is checked but not set. Checked in 2035004 and 0 other sigs
10:40:38 	suricata: 	[11915] – flowbit ‘ET.http.javaclient.vulnerable’ is checked but not set. Checked in 2013036 and 0 other sigs
10:40:38 	suricata: 	[11915] – flowbit ‘ET.ELFDownload’ is checked but not set. Checked in 2019896 and 0 other sigs
10:40:38 	suricata: 	[11915] – flowbit ‘et.DocVBAProject’ is checked but not set. Checked in 2020170 and 0 other sigs

This time there were 20742 rules loaded and 0 rules failed.

The following lines with
flowbit xxxxxxxxxxx is checked but not set
is a warning, not an error.

A question on this flowbit message was asked on the suricata forum several times and the response from a suricata team member was

The warning message shows that the flowbits named dcerpc.rpcnetlogin and ET.BonitaDefaultCreds are checked but never set. Flowbits provide a way to maintain state across a flow. Checking a flowbit but never setting it means the rule(s) doing so have no effect and will never generate an alert if the flowbit’s never set. That’s why Suricata is warning you.

This may happen if a rule is commented out (leading whitespace or # on the line containing the rule). This is most often the cause if you’re using a commercially provided (either free or with cost) ruleset.

These messages are usually from rules that have not been selected, in which case they are commented out in the ruleset.

So the message is saying that you have not selected all rules in the ruleset.

For the Emerging Threats ruleset that your messages come from then they provide the ruleset with only specific rules enabled.

1 Like