AF_PACKET fails to initialize when running with limited privileges
If I run Suricata with AF_PACKET as shown below, everything is fine:
suricata -c /etc/suricata/suricata.yaml --af-packet=eth0
However, if I tell Suricata to drop to a non-root user like this:
suricata --user sguil --group sguil -c /etc/suricata/suricata.yaml --af-packet=eth0
it drops the capabilities and then AF_PACKET fails to initialize.
Should Suricata initialize AF_PACKET first, and then drop capabilities?