Support #2523
closedSet AF_PACKET bpf filter "/etc/suricata/suricata.yaml" failed when starting Suricata
Description
On newly installed system getting error related to the compilation of BPF filter - I am not using BPF filter in the suricata.yaml.
30/6/2018 -- 13:34:41 - <Notice> - This is Suricata version 4.0.4 RELEASE
30/6/2018 -- 13:34:41 - <Info> - CPUs/cores online: 2
30/6/2018 -- 13:34:41 - <Info> - Found an MTU of 1500 for 'enp0s8'
30/6/2018 -- 13:34:41 - <Info> - Found an MTU of 1500 for 'enp0s8'
30/6/2018 -- 13:34:41 - <Info> - Running in live mode, activating unix socket
30/6/2018 -- 13:34:45 - <Info> - 38 rule files processed. 12489 rules successfully loaded, 0 rules failed
30/6/2018 -- 13:34:45 - <Info> - Threshold config parsed: 0 rule(s) found
30/6/2018 -- 13:34:45 - <Info> - 12494 signatures processed. 1161 are IP-only rules, 5187 are inspecting packet payload, 7644 inspect application layer, 0 are decoder event only
30/6/2018 -- 13:34:47 - <Info> - fast output device (regular) initialized: fast.log
30/6/2018 -- 13:34:47 - <Info> - eve-log output device (regular) initialized: eve.json
30/6/2018 -- 13:34:47 - <Info> - dns-log output device (regular) initialized: dns.log
30/6/2018 -- 13:34:47 - <Info> - dns-log output device (regular) initialized: dns.log
30/6/2018 -- 13:34:47 - <Info> - alert-debug output device (regular) initialized: alert-debug.log
30/6/2018 -- 13:34:47 - <Info> - stats output device (regular) initialized: stats.log
30/6/2018 -- 13:34:47 - <Info> - Going to use 2 thread(s)
30/6/2018 -- 13:34:47 - <Info> - Running in live mode, activating unix socket
30/6/2018 -- 13:34:47 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
30/6/2018 -- 13:34:47 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
30/6/2018 -- 13:34:47 - <Info> - Using BPF '/etc/suricata/suricata.yaml' on iface 'enp0s8'
30/6/2018 -- 13:34:47 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
30/6/2018 -- 13:34:47 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "/etc/suricata/suricata.yaml" failed.
30/6/2018 -- 13:34:47 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
30/6/2018 -- 13:34:47 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-enp0s8 failed
Updated by Eric Leblond almost 6 years ago
What is your command line ? From what I can read, looks like you did forget the -c before the path to the YAML file.
Updated by Derek Mizak almost 6 years ago
Thank you - it was in fact -c missing. Thank you for help with the lame query.