Suricata IDS stops detection within 3 mins of the service start

deepinfi

New Member


Messages: 1

I have below setup
FreeBSD - 12.2 (Running on VM with 4 NICs )
Suricata - 6.0.2

Suricata IDS config in rc.conf
suricata_enable="YES"
suricata_interface="igb1"
suricata_flags="-D -v"

ifconfig igb1
igb1: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:0c:29:ff:fc:ca
inet 10.10.2.12 netmask 0xff000000 broadcast 10.255.255.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Suricata PID
sudo ps auxww | grep suricata
root 20168 14.9 1.4 160684 118596 - Ss 12:17 0:17.83 /usr/local/bin/suricata -D -v --pcap=igb1 --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml

Once I start the suricata service, I can see the alerts generated in the fast.log file
However, after about 2 to 3 mins, no more alerts are generated in this file.
But the data keeps updating in eve.json and stats.log files.
Please help me on troubleshooting this issue so that the alert detection continues smoothly.

ls -l
-rw-r--r-- 1 root wheel 5236661 May 13 12:20 alert-debug.log
-rw-r----- 1 root wheel 3874597 May 13 12:28 eve.json
-rw-r----- 1 root wheel 8536 May 13 12:20 fast.log
-rw-r----- 1 root wheel 10183 May 13 12:20 http.log
-rw-r----- 1 root wheel 345277 May 13 12:28 stats.log
-rw-r--r-- 1 root wheel 225528 May 13 12:17 suricata.log
-rw-r----- 1 root wheel 27359 May 13 12:21 tls.log
 
Top